based on something nasty i did with cookies a while back Session id [aaaaaaaaaaaaaaaaaaaa][bbbbbbbbbb] eg. first 32? chars are the standard md5, the remainder is a variable length key.
aaa - the standard session id. (eg. the filename) bbb - an simple key overlay say the session file contains 'abcd' and bbbbb contains 0au2dr then the resulting sessoin file would contain : char 1 = (a + 0) mod 256 char 2 = (b + a) mod 256 char 3 = (c + u) mod 256 .... and so on..... -- to decrept you obvious overlay the negative with modulus.. its an incredibly dumb and simple encryption method.. - but it may solve alot of the concerns... - eg. without the full session id, you cant use the session file. or guess the full session file.. anyway its early morning so I probably missed something.. - it doesnt make it impossible - just alot more difficult... regards alan Ivan Ristic wrote: >>The general philosophy of PHP has always been to make PHP easy for the >>beginner yet flexible enough for advanced users. This fits that rule. >>Give the advanced users the tools to configure PHP to have per-virtualhost >>session handling, while sessions still work for the guy who just installed >>PHP on his own little server and really doesn't know what he is doing. >> > > That is fine for a philosophy. I would still like to try to make > the default setup more secure. I agree, the least we can do is to > document this. > > How about that we use the SERVER_NAME environment variable when > generating session filenames? Instead of name like sess_XXXX, the name > could be sess_YYYY_XXXX, where YYYY is a server fingerprint? I > understand that this is not foolproof (say, for applications > that run on the same domain name) but it will solve the most > serious cases (shared hosting solutions). > >-- >Ivan Ristic, [EMAIL PROTECTED] >[ Weblog on PHP, Software development, Intranets, >and Knowledge Management: http://www.webkreator.com ] > > -- PHP Development Mailing List <http://www.php.net/> To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
