But the real issue here is about session hijacking. Yes, of course people can send whatever session id they want to PHP. Since the session id comes from the user we need to accept what is sent. Perhaps a check should be added to make sure it looks like a proper session id before using it, but this can be done easily in user space and it really doesn't affect security in any way. We are trying to protect the existing sessions sitting behind the unpredictable PHP-generated session ids. Why would a normal user hack himself and choose a predictable session id?
-Rasmus On Sun, 18 Aug 2002, Giancarlo wrote: > Rasmus Lerdorf wrote: > > > > > Any propagation, doesn't matter. > > > The passed id must exist, otherwise discarded and regenerated. > > > I saw that php already creates the session at the start. > > > > > > The possibility to count on a stable name, because recreable anytime > > > and though surviving gc, is a great weaknes for that tipe of snoop. > > > php has to have the nicely dedicated devices to generate the id. > > > > And it does. The session ids are not predictable, especially if you set > > the entropy source to something like /dev/urandom in php.ini > > > > -Rasmus > > Sorry, but I feel like speaking with HAL.. > > The unpredictable choice has to be made by a dedicated device except whenever > any user decides to create his favourite one? > > I mean by appending ?PHPSESSID=foo that is what happens. > User choice is ginven priority over that dedicated device. > User can force php to create and recreate anytime any known id of his choice. > > > Gian > -- PHP Development Mailing List <http://www.php.net/> To unsubscribe, visit: http://www.php.net/unsub.php
