Hi Arpad, On Tue, Aug 6, 2013 at 4:17 AM, Arpad Ray <array...@gmail.com> wrote:
> On Mon, Aug 5, 2013 at 7:46 PM, Yasuo Ohgaki <yohg...@ohgaki.net> wrote: > >> On Tue, Aug 6, 2013 at 1:04 AM, Arpad Ray <array...@gmail.com> wrote: >> >>> I think there really should be a vote. >> >> >> This means you don't really understand the true risk of this >> vulnerability. >> It allows permanent session ID fixation. This is CVE assigned >> vulnerability. >> Details are explained in the RFC and I don't want to explain fully in ML >> again. >> (We might discussed the details in secur...@php.net, but I think I wrote >> enough info) >> >> Please refer to the RFC. >> > > I do really understand the risk... > It allows "permanent" session ID fixation due to browser implementations. To make matter worse than old days, recent browsers only send one outstanding cookie. This made attack detection impossible at server side. (i.e. bad countermeasure(?) took by browser developers) If you curious about this vulnerability fix still, please read the RFC and do a little experiments. I did the experiment 2 years ago (and even 10 years ago). I suppose things are not changed. Regards, -- Yasuo Ohgaki yohg...@ohgaki.net