Hello,
The PHP manual says it is the developer's job to ensure PHP sessions cannot
be stolen or "fixed" (this is called Session Fixation).
To minimise the risk of session fixation, I wrote a patch for PHP-4.3.5 (I
can port it for the other versions too - just ask...), that makes (almost)
sure the current user IS the session creator. It is based on client IP
addresses.
This patch is available at: http://www.trickytools.com/php/sesfixpatch.php
If you think this could be useful, it could be improved and someday be part
of the official distro.
Jerome Delamarche
Hello,
The PHP manual says it is the developer's job to ensure PHP sessions cannot
be stolen or "fixed" (this is called Session Fixation).To minimise the risk of session fixation, I wrote a patch for PHP-4.3.5 (I
can port it for the other versions too - just ask...), that makes (almost)
sure the current user IS the session creator. It is based on client IP
addresses.This patch is available at: http://www.trickytools.com/php/sesfixpatch.php
If you think this could be useful, it could be improved and someday be part
of the official distro.
I remember reading in the forums before that using the request IP to
"fixate" a session isn't practical since some ISPs (namely AOL) can have
the request IP suddenly change between one request and another.
Cheers,
Rob.
.------------------------------------------------------------.
| InterJinn Application Framework - http://www.interjinn.com |
:------------------------------------------------------------:
| An application and templating framework for PHP. Boasting |
| a powerful, scalable system for accessing system services |
| such as forms, properties, sessions, and caches. InterJinn |
| also provides an extremely flexible architecture for |
| creating re-usable components quickly and easily. |
`------------------------------------------------------------'
Hello,
The PHP manual says it is the developer's job to ensure PHP sessions
cannot
be stolen or "fixed" (this is called Session Fixation).To minimise the risk of session fixation, I wrote a patch for
PHP-4.3.5 (I
can port it for the other versions too - just ask...), that makes
(almost)
sure the current user IS the session creator. It is based on client IP
addresses.This patch is available at:
http://www.trickytools.com/php/sesfixpatch.phpIf you think this could be useful, it could be improved and someday
be part
of the official distro.I remember reading in the forums before that using the request IP to
"fixate" a session isn't practical since some ISPs (namely AOL) can
have
the request IP suddenly change between one request and another.
Yes, this behavior is quite common for many of the large ISPs.
George
Hello,
sure the current user IS the session creator. It is based on client IP
addresses.
A legal user can have multiple IP addresses at the same time. This can
have several reasons...
for example
a) ISP did disconnect him inbetween clicks
b) he is using a proxy but for the https part of your site he has no proxy
c) he or is proxy is using a NAT gateway
Stefan Esser