From: [EMAIL PROTECTED] Operating system: Linux PHP version: 4.2.2 PHP Bug Type: Feature/Change Request Bug description: Session security enhancements
I've noticed a few similar requests being marked as bogus, often for lack of feedback or because the orginal submitted didn't seem to really understand what they were asking. It would be nice if the cookie used by PHP to propagate the session id between pages could conform to following format: PHPSESSIONID="expTime+sessionid+MD5(expTime+sessionis+server_secret)" where expTime is the unixtime stamp at which point the _server_ should stop accepting this cookie, sessionid is the current value, server_secret is some php.ini value used to generate a secure MAC. '+' represents string concatenation with a deliminator not found in the input strings. Client_IP should also be conisdered for inclusion in the cookie and MAC. expTime can default to some time far in the future if people don't want to expire cookies (transient or permenant) at the server-side. session_start would need to be revised to extract the payload, recalculate the MAC and check for cookie expiration. For reasons of backward compatibilty it might be best to change the name of the cookie variable so that session_start can detect which format of cookie to parse so that people who don't need the added level of security aren't penalized with the increased computational load. This feature, if client ip is included and chceked, protects users from (most) replay attacks and protects both the server and client from session hijacking. At present one can fake this feature by setting a user-defined cookie with all the needed data and then comparing the sessionid from the session cookie with the sessionid in the user cookie. While this method works, it requires sending two cookies to the user, which is less than ideal. For more information about why this type of cookie is prefered, there is a long article at http://pdos.lcs.mit.edu/cookies/pubs/webauth:tr.pdf -- Edit bug report at http://bugs.php.net/?id=19674&edit=1 -- Try a CVS snapshot: http://bugs.php.net/fix.php?id=19674&r=trysnapshot Fixed in CVS: http://bugs.php.net/fix.php?id=19674&r=fixedcvs Fixed in release: http://bugs.php.net/fix.php?id=19674&r=alreadyfixed Need backtrace: http://bugs.php.net/fix.php?id=19674&r=needtrace Try newer version: http://bugs.php.net/fix.php?id=19674&r=oldversion Not developer issue: http://bugs.php.net/fix.php?id=19674&r=support Expected behavior: http://bugs.php.net/fix.php?id=19674&r=notwrong Not enough info: http://bugs.php.net/fix.php?id=19674&r=notenoughinfo Submitted twice: http://bugs.php.net/fix.php?id=19674&r=submittedtwice register_globals: http://bugs.php.net/fix.php?id=19674&r=globals