On Mon, 19 Aug 2002, Rasmus Lerdorf wrote:
> But could you at least answer the question? What is the advantage of
> allowing user-supplied new session ids? I see no reason not to add a
> check for this.
For example, I have a set of C programs for IRCG load
testing. It uses a simple FSM to generate HTTP requests and
waste incoming data (like 50K concurrent connections). If
this client could not use arbitrary session ids
(mysid$running_number), I'd have to actually analyze HTTP
replies and the icky Cookie header.
My stance is this:
You are either vulnerable to this class of attacks -- or you
are not. There is no middle ground.
To conclude: Don't trade useful features for pseudo security.
Removing this feature just increases the feeling of having a
'secure' site and decreases the desire to protect oneself by
activating session.use_only_cookies.
- Sascha
--
PHP Development Mailing List <http://www.php.net/>
To unsubscribe, visit: http://www.php.net/unsub.php
