Edit report at https://bugs.php.net/bug.php?id=19674&edit=1
ID: 19674 Updated by: [email protected] Reported by: nielsene at mit dot edu Summary: Session security enhancements -Status: Analyzed +Status: Wont fix Type: Feature/Change Request Package: Session related Operating System: Linux PHP Version: 4.2.2 Block user comment: N Private report: N New Comment: There will be strict session. You can now use session_regenerate_id() to this with script. Previous Comments: ------------------------------------------------------------------------ [2002-10-01 03:16:05] [email protected] It's just like my "protecting GET/POST/COOKIE vars" script at zend.com. This is worth to implement. Anyone can implement this by your own session save handler now if you would like. ------------------------------------------------------------------------ [2002-09-30 08:41:19] nielsene at mit dot edu I've noticed a few similar requests being marked as bogus, often for lack of feedback or because the orginal submitted didn't seem to really understand what they were asking. It would be nice if the cookie used by PHP to propagate the session id between pages could conform to following format: PHPSESSIONID="expTime+sessionid+MD5(expTime+sessionis+server_secret)" where expTime is the unixtime stamp at which point the _server_ should stop accepting this cookie, sessionid is the current value, server_secret is some php.ini value used to generate a secure MAC. '+' represents string concatenation with a deliminator not found in the input strings. Client_IP should also be conisdered for inclusion in the cookie and MAC. expTime can default to some time far in the future if people don't want to expire cookies (transient or permenant) at the server-side. session_start would need to be revised to extract the payload, recalculate the MAC and check for cookie expiration. For reasons of backward compatibilty it might be best to change the name of the cookie variable so that session_start can detect which format of cookie to parse so that people who don't need the added level of security aren't penalized with the increased computational load. This feature, if client ip is included and chceked, protects users from (most) replay attacks and protects both the server and client from session hijacking. At present one can fake this feature by setting a user-defined cookie with all the needed data and then comparing the sessionid from the session cookie with the sessionid in the user cookie. While this method works, it requires sending two cookies to the user, which is less than ideal. For more information about why this type of cookie is prefered, there is a long article at http://pdos.lcs.mit.edu/cookies/pubs/webauth:tr.pdf ------------------------------------------------------------------------ -- Edit this bug report at https://bugs.php.net/bug.php?id=19674&edit=1
