Hrm.. Wait a second though, Giancarlo is saying that if the user passes
in a session id himself and that session does not exist, then that will be
the session id he will be given if a session is created on that request.
Is that correct, Giancarlo?
>From looking at the code and testing that assumption, it does not look
like that is the case. Try it yourself. Make 2 files:
file1.php:
<?php
session_start();
session_register('a');
$a = "Foo";
?>
Setting $a to Foo
file2.php:
<?php
session_start();
echo $a;
phpinfo();
?>
Then (with register_globals on) load up:
file1.php?PHPSESSID=123
followed by
file2.php?PHPSESSID=123
You will find that the session cookie that is generated is not "123" and
the /tmp session file is not sess_123
-Rasmus
On Sun, 18 Aug 2002, Dan Hardiker wrote:
> >> But the real issue here is about session hijacking. Yes, of course
> >> people can send whatever session id they want to PHP. Since the
> >> session id comes from the user we need to accept what is sent.
> >
> > This is what I consider unconceivable.
> > Why ever should tickets issued by the user be accepted, to what pro?
> > Something clashes here with that 'very umpredictable dedicated device'.
> > I'd prefer no acceptance of user provided id, if not where expressely
> > configured.
>
> There is a simple solution, make sure your the one generating the IDs, and
> upon each "proper" session start (where no session id is passed in) set a
> session "I started this session" variable. If a session ID has been passed
> in, then check for that variable, if it exists - continue, if not then
> show an error message.
>
> Note: you will experiance the same problem if the session times out.
>
>
> --
> Dan Hardiker [[EMAIL PROTECTED]]
> ADAM Software & Systems Engineer
> First Creative Ltd
>
>
>
> --
> PHP Development Mailing List <http://www.php.net/>
> To unsubscribe, visit: http://www.php.net/unsub.php
>
--
PHP Development Mailing List <http://www.php.net/>
To unsubscribe, visit: http://www.php.net/unsub.php
