From: "Boyan Nedkov" <[EMAIL PROTECTED]> > [snip] > > ... Short of any severe bugs in PHP's core, there is no way for a > > user of your Web application to modify session data ... > [/snip] > > It seems that statement is not completely correct considering the topic > discussed in the paper 'Session Fixation Vulnerability in Web-based > Applications' (http://secinf.net/uplarticle/11/session_fixation.pdf). I > am also interested in the session security issue so any comments on that > publication are welcome.
No, the statement is still correct. The paper discusses how malicious users could possibly set the SESSION_ID to a predetermined value and then hijack the session because they know it's value. They still cannot directly change session variables that your script is creating. In order to combat session fixation, use the session_regenerate_id() function: http://us2.php.net/manual/en/function.session-regenerate-id.php ---John Holmes... -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
