On Thu, Jan 17, 2008 at 10:17:18AM +0100, Stefan Esser wrote: > So you see that you nearly NEVER ever want the cookie in _REQUEST. And > even if you can think up a theoretical situation where you don't care > the problem is that everyone else uses _REQUEST in unsafe places... > Therefore my recommendation in PHP source code audits is usually... If > your code uses _REQUEST then overwrite it with an array_merge() of _GET > and _POST in the beginning of the script.
I have seen PHPSESSID taken from _REQUEST, like that it doesn't matter if the browser won't accept cookies and the session ID is propagated via _GET/_POST. However: I am quite willing to accept the argument that the trivial amount of extra code to do this properly is the 'right' solution. What Stefan is saying ought to be listed with the security issues on the PHP web site. -- Alain Williams Linux Consultant - Mail systems, Web sites, Networking, Programmer, IT Lecturer. +44 (0) 787 668 0256 http://www.phcomp.co.uk/ Parliament Hill Computers Ltd. Registration Information: http://www.phcomp.co.uk/contact.php Chairman of UKUUG: http://www.ukuug.org/ #include <std_disclaimer.h> -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
