To be fair, that actually just wraps http://us.php.net/session_regenerate_id . -Matt
On Tue, Sep 30, 2008 at 4:03 AM, Robert Castley <[EMAIL PROTECTED]>wrote: > Don't you just love ZF, they think of everything :-) > > Thanks! > > -----Original Message----- > From: keith Pope [mailto:[EMAIL PROTECTED]<[EMAIL PROTECTED]>] > > Sent: 30 September 2008 11:05 > To: [email protected] > Subject: Re: [fw-general] Session ID Protection > > This is addressed by Zend_Session already. You should make sure that you > re-generate the session id for every request, I usually include > > Zend_Session::regenerateId() in my bootstrap. > > I would suggest reading the reference: > > > http://framework.zend.com/manual/en/zend.session.global_session_management.html#zend.session.global_session_management.session_identifiers.hijacking_and_fixation > > Thx > > 2008/9/30 Robert Castley <[EMAIL PROTECTED]>: > > The following article highlights security issues with session ID's. > > It also goes on to say not to use URL re-writes. > > > > How does this affect ZF? The quick test provided in the link does > > indeed expose my session ID when using Zend_Auth. > > > > http://www.theregister.co.uk/2008/09/29/sessionid_protection/ > > > > - Robert > > > > ______________________________________________________________________ > > __ This email has been scanned for all known viruses by the > > MessageLabs Email Security Service and the Macro 4 plc internal virus > > protection system. > > ______________________________________________________________________ > > __ > > > > > -- > ---------------------------------------------------------------------- > [MuTe] > ---------------------------------------------------------------------- > > ________________________________________________________________________ > This email has been scanned for all known viruses by the MessageLabs Email > Security Service and the Macro 4 plc internal virus protection system. > > ________________________________________________________________________ > > ________________________________________________________________________ > This email has been scanned for all known viruses by the MessageLabs Email > Security Service and the Macro 4 plc internal virus protection system. > ________________________________________________________________________ >
