Angus,
I have finished the session stuff so far (make test now works also). It in
the cvs. I would be happy if you could take a look at it and give me a
feedback if it works for you too.
Gerald
-------------------------------------------------------------
Gerald Richter ecos electronic communication services gmbh
Internetconnect * Webserver/-design/-datenbanken * Consulting
Post: Tulpenstrasse 5 D-55276 Dienheim b. Mainz
E-Mail: [EMAIL PROTECTED] Voice: +49 6133 925151
WWW: http://www.ecos.de Fax: +49 6133 925152
-------------------------------------------------------------
----- Original Message -----
From: "Gerald Richter" <[EMAIL PROTECTED]>
To: "Angus Lees" <[EMAIL PROTECTED]>; "Embperl list"
<[EMAIL PROTECTED]>
Sent: Thursday, November 09, 2000 9:19 PM
Subject: Re: trying to DeleteSession (security bug?)
> >
> > currently it sends the cookie every time, but (as gerald and i
> > discussed privately) i have a feeling thats a modperl 1.24 issue.
> >
> > if you write to %udat after calling DeleteSession, then it creates the
> > session in the database (or on disk, etc), but still deletes the
> > cookie. if you do this, you probably deserve to leak sessions tho ;)
> > (reading after deleting is fine)
> >
>
> Now delete, read after delete and write after delte should work. Also the
> cookie resending logic is enhanced. Maybe this work also for you.
>
> >
> > my point was that it tries to create whatever session the browser asks
> > for. imo, if the browser has a cookie for which no session exists, the
> > browser should get given a new randomly generated session, just as if
> > it had no existing cookie.
> >
> > if it wasn't for taint, it'd be a real security issue. consider what
> > would happen using FileStore and a session id of "../../bin/httpd" (or
> > some path that exists).
> >
>
> Ok, Embperl has relied on Apache::Session to validate session id, but
actual
> it doesn't do this correctly.
>
> I have added a session id validation (if Apache::Session 1.53+ is
installed,
> it uses the validate method of the Generate class), if the session id is
> invalid or the session id doesn't exists Embperl now generates a new id
and
> send a new cookie with this id.
>
> I also have made a lot of enhancement to make test, to better test all
these
> situations, but this is not totaly finished yet, so a few of the tests in
> the current CVS version fails, but Embperl seems to do the right thing.
>
> Gerald
>
> -------------------------------------------------------------
> Gerald Richter ecos electronic communication services gmbh
> Internetconnect * Webserver/-design/-datenbanken * Consulting
>
> Post: Tulpenstrasse 5 D-55276 Dienheim b. Mainz
> E-Mail: [EMAIL PROTECTED] Voice: +49 6133 925151
> WWW: http://www.ecos.de Fax: +49 6133 925152
> -------------------------------------------------------------
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
>
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
