I myself wrote:
> Can I tell you more than what the subject says?
> proceeding:
> Close the browser, clean all your cookies, and open any page with that
> ?PHPSESSID=spoofme appended.
> And see what  happens.
> 1) No cookies are left
> 2) a session 'spoofme' is created
> Do you need more? Javascript url injection ad cross site scripting
> become obsolete with this 'feature'.
> PLS!
> I mean, as the zend site doesn't quite work like this (do the same test
> proceeding as described above...)
> Their session to append to your cookie-enabled browser location are
> Zend_Session_DB=whatever and Zend_Session_DB_SECURE=whatever2 on their
> login page.
> I don't know if this is related to the free downloadable version, and
> the one they sell and adopt is more 'fortified'... they should clearly
> state it then!
> Gian

I've commited the latest PHPLIB version (php-lib-stable) that humbly
tries to prevent this unsecure  behaviour, as I said in one of my prev
I can't extend it to the so-called PHPLIB4 (that uses native PHP4
session) tree, because PHP is truely holed in that.


PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to