You guys are missing the point. This isn't a language level issue. I can imagine some sort of package or a library being made, some sort of wrapper around the current session commands, perhaps integrated into some sort of extension.
But it is NOT a language level issue. This isn't a problem the language needs to solve, ESPECIALLY since userland implementation is so trivial. The core of the problem is education, not lack of tools by the side of the language. And that's where the focus should be. How do we do it? I don't know. Blog posts? PHP manual? Conferences? Maybe. But I still don't think this is a problem that language should solve. On Sat, Sep 28, 2013 at 1:47 AM, Yasuo Ohgaki <yohg...@ohgaki.net> wrote: > Hi Leigh, > > On Fri, Sep 27, 2013 at 7:12 PM, Leigh <lei...@gmail.com> wrote: > >> So on a successful session hijack (correct SID, new IP) the attacker >> gets a new SID and keeps the valid session while the legitimate user >> gets kicked out. >> >> Not seeing how that improves things at all. >> > > There are 2 improvements > > 1. Generally speaking, more frequent session ID regeneration is more > security. > 2. Detection/indication of attacks is good for security. > > Showing active sessions and possible intrusion/source of intrusion is > applications > task, but session ID regeneration upon IP change is easy and simple task > for > session module. Why not have it as optional feature? > > It would be better than nothing if end user has chance to know the attack. > IMHO. > > Many systems have notification mail when password or important information > have changed. Damage has already done if it is an attack, but user could > know > there were attack. Session ID regeneration is the same kind of counter > measure. > > If app supports number of active sessions, user could verify if they are > under > session hijack attack or not. It's up to app, though. > > Regards, > > -- > Yasuo Ohgaki > yohg...@ohgaki.net -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
