Il 23:54, domenica 18 agosto 2002, Rasmus Lerdorf ha scritto:
> Hrm.. Wait a second though, Giancarlo is saying that if the user passes
> in a session id himself and that session does not exist, then that will be
> the session id he will be given if a session is created on that request.
> Is that correct, Giancarlo?
>
Well, yor browser has to be 'virgin' with regards to that cookie.
You musn't have received one already. to be an available victim
Giancarlo
> From looking at the code and testing that assumption, it does not look
> like that is the case. Try it yourself. Make 2 files:
>
> file1.php:
> <?php
> session_start();
> session_register('a');
> $a = "Foo";
> ?>
> Setting $a to Foo
>
> file2.php:
> <?php
> session_start();
> echo $a;
> phpinfo();
> ?>
>
> Then (with register_globals on) load up:
>
> file1.php?PHPSESSID=123
>
> followed by
>
> file2.php?PHPSESSID=123
>
> You will find that the session cookie that is generated is not "123" and
> the /tmp session file is not sess_123
>
> -Rasmus
>
> On Sun, 18 Aug 2002, Dan Hardiker wrote:
> > >> But the real issue here is about session hijacking. Yes, of course
> > >> people can send whatever session id they want to PHP. Since the
> > >> session id comes from the user we need to accept what is sent.
> > >
> > > This is what I consider unconceivable.
> > > Why ever should tickets issued by the user be accepted, to what pro?
> > > Something clashes here with that 'very umpredictable dedicated device'.
> > > I'd prefer no acceptance of user provided id, if not where expressely
> > > configured.
> >
> > There is a simple solution, make sure your the one generating the IDs,
> > and upon each "proper" session start (where no session id is passed in)
> > set a session "I started this session" variable. If a session ID has been
> > passed in, then check for that variable, if it exists - continue, if not
> > then show an error message.
> >
> > Note: you will experiance the same problem if the session times out.
> >
> >
> > --
> > Dan Hardiker [[EMAIL PROTECTED]]
> > ADAM Software & Systems Engineer
> > First Creative Ltd
> >
> >
> >
> > --
> > PHP Development Mailing List <http://www.php.net/>
> > To unsubscribe, visit: http://www.php.net/unsub.php
--
PHP Development Mailing List <http://www.php.net/>
To unsubscribe, visit: http://www.php.net/unsub.php
