[EMAIL PROTECTED] (Sascha Schumann) wrote: --- > Let's analyze the meaning of session.use_cookies, shall we? > > http://php.net/manual/en/ref.session.php says: > > "session.use_cookies specifies whether the module will use > cookies to store the session id on the client side. Defaults > to 1 (enabled). > > Please note the absence of words like "only". > > The combination of session.use_cookies=1 and > session.use_trans_sid=0 is working perfectly fine at the moment. > > This is also not about forgery. While cookies are user data, > the thing Mr. Pinerolo worries about is tricking a victim > into using session ids which are known to the attacker. > > While it is easy for an attacker to send a URL to the victim > containing a session id, injecting a malice cookie into the > victim's system is a much harder job. I would say it is > impossible, if I would not know about user habits and the > quality of the software coming out of Redmond. Despite the > availability of patches, many systems are simply not updated > in a timely fashion. > > You also cannot compare this issue to register_globals, > unless you are used to compare apples and oranges. > > With register_globals=on, a malice user can directly cause > harm and severe damage to a service, if the scripts are badly > written. For example, an attacker could inject SQL directly > and cause all tables to be dropped. > > With session.use_only_cookies=0, an attacker has a tool for > planting social engineering attacks against unwitting users. > It does not cause direct damage on the server side. It is > one way of thousands to manipulate users. Just look at how > many AOL accounts are "pfished" each day, because users > ignore the warning that noone will legitimately ask them for > their password. > > Mr. Pinerolo's example of online banking is immune to this > scheme, because all bank transactions are protected by > a one-time pad (called TANs in Germany). > > I would not have come up with the session.use_only_cookies > idea, if I did not see an advantage for using it under some > circumstances. These circumstances are rare though and do
Frankly, what I think of this is that it is a piece of social engineering in itself. The new session.use_only_cookies directive, put like that, that can only be set on a per installation basis, will never be adopted. This will leave all sites in the world vulnerable to damn easy snooping. I understand there are historical reasons for trying to keep the status quo, probably too many applications rely on the actual weakness. I do not share that vision. Anyway this will come back to your face one day, I have no doubts about it. This is not my problem, I'll be fairly offshore for the next months, so really you do what you want, discuss it or impose it among yourselves, I've done my duty. Mr. Pinerolo > not apply to all sites in general. Badly written PHP scripts > are more common apparently which was the deciding factor for > disabling register_globals. I do not foresee such a > compatibility breaking step with regard to > session.use_only_cookies. > > - Sascha > > -- PHP Development Mailing List <http://www.php.net/> To unsubscribe, visit: http://www.php.net/unsub.php
