On Tue, 17 Jun 2003, Ian Grigg wrote: > does anyone know how the easy way to secure a PHP website against > session_fixation?
I noticed that the PHP documentation includes a new section on session insecurity and a link to the paper on session fixation. http://www.php.net/manual/en/ref.session.php The latest version of PHP (4.3.2) includes a new function which should be called by your login processing page as soon as you mark the session as logged in to generate a new session ID. That should solve the session fixation problem since any previous session is discarded by this function. http://www.php.net/manual/en/function.session-regenerate-id.php Unfortunately it does seem that anyone using the PHP session generator is vulnerable until they apply this change. I suspect the PHP mailing lists have been buzzing about this. Further discussion of PHP should probably go there rather than here. --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
