Justin French wrote: > > Hi all, > > About 2.30 in the morning I started kicking around an idea, based on the > recent discussions on sessions, and what --enable-trans-sid did. > > From my understanding: > > + if there is no session cookie, set a cookie AND append a > session ID to URLs on the first (session start) page >
AND do a redirect to self. This is how phplib worked. How do you distinguish the 'first page' from the others? > + on the next page, the session is carried, and it checks to > see if the cookie set on the prev. page can be found > > - if it can, it now knows (presumably by setting a session > var) that cookies are okay > > - if it can't, it assumes cookies are not avail, and it > knows that the session must be appended to each URL > Not quite like that. This is the same as saying: if there's a session in the URL ad no cookie, presume cookies are not available. Wrong presumption. This is the reason why now it is spoofable by opening any page with a user-provided session in the URL > + if the session ID must be appended, it waves a magic wand > over every .php page and appends a session id... i GUESS > through buffering or parsing the entire output. > > So, couldn't this be emulated by : > > + following the same set/check routine above > + if needed, wave a magic wand over the output before it's sent to the page, > by the use of output buffering? > > If some enough ppl on this list believe it's a good idea to pursue this, and > don't think it will result in a big performance drop or anything, I'm keen > to start work on it as an opensource project, hopefully with the support of > this list to make sure it stays on the right track. > > On the other hand, there may be a huge flaw in my idea :D > > Justin French -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php