Il 02:48, domenica 18 agosto 2002, Rasmus Lerdorf ha scritto: > But the real issue here is about session hijacking. Yes, of course people > can send whatever session id they want to PHP. Since the session id comes > from the user we need to accept what is sent.
This is what I consider unconceivable. Why ever should tickets issued by the user be accepted, to what pro? Something clashes here with that 'very umpredictable dedicated device'. I'd prefer no acceptance of user provided id, if not where expressely configured. > Perhaps a check should be > added to make sure it looks like a proper session id before using it, but > this can be done easily in user space and it really doesn't affect > security in any way. We are trying to protect the existing sessions > sitting behind the unpredictable PHP-generated session ids. Why would a > normal user hack himself and choose a predictable session id? He'd induct someone else do it, by passing it in the URL, SSL or not, which takes us back at the beginning of this thread. Gian > > -Rasmus > > On Sun, 18 Aug 2002, Giancarlo wrote: > > Rasmus Lerdorf wrote: > > > > Any propagation, doesn't matter. > > > > The passed id must exist, otherwise discarded and regenerated. > > > > I saw that php already creates the session at the start. > > > > > > > > The possibility to count on a stable name, because recreable anytime > > > > and though surviving gc, is a great weaknes for that tipe of snoop. > > > > php has to have the nicely dedicated devices to generate the id. > > > > > > And it does. The session ids are not predictable, especially if you > > > set the entropy source to something like /dev/urandom in php.ini > > > > > > -Rasmus > > > > Sorry, but I feel like speaking with HAL.. > > > > The unpredictable choice has to be made by a dedicated device except > > whenever any user decides to create his favourite one? > > > > I mean by appending ?PHPSESSID=foo that is what happens. > > User choice is ginven priority over that dedicated device. > > User can force php to create and recreate anytime any known id of his > > choice. > > > > > > Gian -- PHP Development Mailing List <http://www.php.net/> To unsubscribe, visit: http://www.php.net/unsub.php
