> On Mon, 19 Aug 2002, Rasmus Lerdorf wrote: > > > But could you at least answer the question? What is the advantage of > > allowing user-supplied new session ids? I see no reason not to add a > > check for this. > > For example, I have a set of C programs for IRCG load > testing. It uses a simple FSM to generate HTTP requests and > waste incoming data (like 50K concurrent connections). If > this client could not use arbitrary session ids > (mysid$running_number), I'd have to actually analyze HTTP > replies and the icky Cookie header.
Hrm.. Ok, that's what I was looking for. A realworld reason to allow the client to specify the new sids. > You are either vulnerable to this class of attacks -- or you > are not. There is no middle ground. > > To conclude: Don't trade useful features for pseudo security. > Removing this feature just increases the feeling of having a > 'secure' site and decreases the desire to protect oneself by > activating session.use_only_cookies. I do agree with that, I just wasn't convinced that it was a useful feature. -Rasmus -- PHP Development Mailing List <http://www.php.net/> To unsubscribe, visit: http://www.php.net/unsub.php
