From: spagmoid at yahoo dot com Operating system: All PHP version: 4.3.2 PHP Bug Type: Session related Bug description: Security lapse due to flaw in session.use_only_cookies
Description: ------------ Our SID's have been leaking out today and becoming shared between 5+ users at once, causing massive corruption. Our theory is that session.use_only_cookies does not always work. It sometimes allows the SID to propagate in URL when cookies are disabled (noticed in Netscape not IE for some reason). -- Edit bug report at http://bugs.php.net/?id=24781&edit=1 -- Try a CVS snapshot (php4): http://bugs.php.net/fix.php?id=24781&r=trysnapshot4 Try a CVS snapshot (php5): http://bugs.php.net/fix.php?id=24781&r=trysnapshot5 Fixed in CVS: http://bugs.php.net/fix.php?id=24781&r=fixedcvs Fixed in release: http://bugs.php.net/fix.php?id=24781&r=alreadyfixed Need backtrace: http://bugs.php.net/fix.php?id=24781&r=needtrace Try newer version: http://bugs.php.net/fix.php?id=24781&r=oldversion Not developer issue: http://bugs.php.net/fix.php?id=24781&r=support Expected behavior: http://bugs.php.net/fix.php?id=24781&r=notwrong Not enough info: http://bugs.php.net/fix.php?id=24781&r=notenoughinfo Submitted twice: http://bugs.php.net/fix.php?id=24781&r=submittedtwice register_globals: http://bugs.php.net/fix.php?id=24781&r=globals PHP 3 support discontinued: http://bugs.php.net/fix.php?id=24781&r=php3 Daylight Savings: http://bugs.php.net/fix.php?id=24781&r=dst IIS Stability: http://bugs.php.net/fix.php?id=24781&r=isapi Install GNU Sed: http://bugs.php.net/fix.php?id=24781&r=gnused
