On Tue, 17 Jun 2003, Ian Grigg wrote:
> does anyone know how the easy way to secure a PHP website against
> session_fixation?

I noticed that the PHP documentation includes a new section on session
insecurity and a link to the paper on session fixation.


The latest version of PHP (4.3.2) includes a new function which should be
called by your login processing page as soon as you mark the session as
logged in to generate a new session ID.  That should solve the session
fixation problem since any previous session is discarded by this function.


Unfortunately it does seem that anyone using the PHP session generator is
vulnerable until they apply this change. I suspect the PHP mailing lists
have been buzzing about this.  Further discussion of PHP should probably
go there rather than here.

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Reply via email to