Ben Laurie wrote: > > James A. Donald wrote: > > I do not see how this flaw can be avoided unless one > > consciously takes special measures that the development > > environment is not designed or intended to support. > > The obvious answer is you always switch to a new session after login. > Nothing cleverer is required, surely?
Having read all these discussions and having looked in my own PHP code and the PHP documentation, I have to agree with James D. This cleverness challenges! I knew how to start and maintain a session, I think. (That was no easy task. The PHP documentation is a mess, and over the last several versions different ways started and stopped working... I'm sure the obvious answer is to use a better tool, but I'm a bit stuck with a huge dose of reality at the moment, being one of the million or so PHP developers, and can't junk the man-years of habit just this month :-) I just spent an hour or so skimming the doco for PHP, and apparently, there is an ability to set another session id with a call called session_id(), oddly enough :-) Which only leaves the problems of a) inventing a new session id, b) rewriting the code so that it carefully implements the unclever notion of setting this at the new login, c) deleting this at logout, and finally d) praying that this works as expected. On the face of it, PHP doesn't appear to have much support for this. It will require each developer to (re-)implement their own solution. I'd love to be wrong in this: does anyone know how the easy way to secure a PHP website against session_fixation? Or is it another case of "you gotta write it all yourself again?" Rich Salz wrote: > From > http://www.modssl.org/docs/2.8/ssl_reference.html#ToC25 > > The following environment variables are exported into SSI files > and CGI scripts: > SSL_SESSION_ID The hex-encoded SSL session id > > Care to try again? Please. How does one get access to that in PHP? That would be a wonderful answer to a) above. Which would only leave me with b) thru d) :-( PS: Steve, thanks for the aviso! Very interesting attack! -- iang --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]