I myself wrote: > > Can I tell you more than what the subject says? > proceeding: > Close the browser, clean all your cookies, and open any page with that > ?PHPSESSID=spoofme appended. > And see what happens. > > 1) No cookies are left > 2) a session 'spoofme' is created > > Do you need more? Javascript url injection ad cross site scripting > become obsolete with this 'feature'. > > PLS! > > I mean, as the zend site doesn't quite work like this (do the same test > proceeding as described above...) > Their session to append to your cookie-enabled browser location are > Zend_Session_DB=whatever and Zend_Session_DB_SECURE=whatever2 on their > login page. > > I don't know if this is related to the free downloadable version, and > the one they sell and adopt is more 'fortified'... they should clearly > state it then! > > Gian
I've commited the latest PHPLIB version (php-lib-stable) that humbly tries to prevent this unsecure behaviour, as I said in one of my prev messages. I can't extend it to the so-called PHPLIB4 (that uses native PHP4 session) tree, because PHP is truely holed in that. Gian -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
