Justin French wrote:
> Hi all,
> About 2.30 in the morning I started kicking around an idea, based on the
> recent discussions on sessions, and what --enable-trans-sid did.
> From my understanding:
> +   if there is no session cookie, set a cookie AND append a
>     session ID to URLs on the first (session start) page

AND do a redirect to self. This is how phplib worked. How do you
distinguish the 'first page' from the others?

> +   on the next page, the session is carried, and it checks to
>     see if the cookie set on the prev. page can be found
>     -   if it can, it now knows (presumably by setting a session
>         var) that cookies are okay
>     -   if it can't, it assumes cookies are not avail, and it
>         knows that the session must be appended to each URL

Not quite like that. This is the same as saying: if there's a session in
the URL ad no cookie, presume  cookies are not available. Wrong
presumption. This is the reason why now it is spoofable by opening any
page with a user-provided session in the URL

> +   if the session ID must be appended, it waves a magic wand
>     over every .php page and appends a session id... i GUESS
>     through buffering or parsing the entire output.
> So, couldn't this be emulated by :
> + following the same set/check routine above
> + if needed, wave a magic wand over the output before it's sent to the page,
> by the use of output buffering?
> If some enough ppl on this list believe it's a good idea to pursue this, and
> don't think it will result in a big performance drop or anything, I'm keen
> to start work on it as an opensource project, hopefully with the support of
> this list to make sure it stays on the right track.
> On the other hand, there may be a huge flaw in my idea :D
> Justin French

PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to