Let's analyze the meaning of session.use_cookies, shall we?
http://php.net/manual/en/ref.session.php says:
"session.use_cookies specifies whether the module will use
cookies to store the session id on the client side. Defaults
to 1 (enabled).
Please note the absence of words like "only".
The combination of session.use_cookies=1 and
session.use_trans_sid=0 is working perfectly fine at the moment.
This is also not about forgery. While cookies are user data,
the thing Mr. Pinerolo worries about is tricking a victim
into using session ids which are known to the attacker.
While it is easy for an attacker to send a URL to the victim
containing a session id, injecting a malice cookie into the
victim's system is a much harder job. I would say it is
impossible, if I would not know about user habits and the
quality of the software coming out of Redmond. Despite the
availability of patches, many systems are simply not updated
in a timely fashion.
You also cannot compare this issue to register_globals,
unless you are used to compare apples and oranges.
With register_globals=on, a malice user can directly cause
harm and severe damage to a service, if the scripts are badly
written. For example, an attacker could inject SQL directly
and cause all tables to be dropped.
With session.use_only_cookies=0, an attacker has a tool for
planting social engineering attacks against unwitting users.
It does not cause direct damage on the server side. It is
one way of thousands to manipulate users. Just look at how
many AOL accounts are "pfished" each day, because users
ignore the warning that noone will legitimately ask them for
their password.
Mr. Pinerolo's example of online banking is immune to this
scheme, because all bank transactions are protected by
a one-time pad (called TANs in Germany).
I would not have come up with the session.use_only_cookies
idea, if I did not see an advantage for using it under some
circumstances. These circumstances are rare though and do
not apply to all sites in general. Badly written PHP scripts
are more common apparently which was the deciding factor for
disabling register_globals. I do not foresee such a
compatibility breaking step with regard to
session.use_only_cookies.
- Sascha
--
PHP Development Mailing List <http://www.php.net/>
To unsubscribe, visit: http://www.php.net/unsub.php
