[PHP] Re: emulating --enable-trans-sid -- project idea?
Justin French wrote: Hi all, About 2.30 in the morning I started kicking around an idea, based on the recent discussions on sessions, and what --enable-trans-sid did. From my understanding: + if there is no session cookie, set a cookie AND append a session ID to URLs on the first (session start) page AND do a redirect to self. This is how phplib worked. How do you distinguish the 'first page' from the others? + on the next page, the session is carried, and it checks to see if the cookie set on the prev. page can be found - if it can, it now knows (presumably by setting a session var) that cookies are okay - if it can't, it assumes cookies are not avail, and it knows that the session must be appended to each URL Not quite like that. This is the same as saying: if there's a session in the URL ad no cookie, presume cookies are not available. Wrong presumption. This is the reason why now it is spoofable by opening any page with a user-provided session in the URL + if the session ID must be appended, it waves a magic wand over every .php page and appends a session id... i GUESS through buffering or parsing the entire output. So, couldn't this be emulated by : + following the same set/check routine above + if needed, wave a magic wand over the output before it's sent to the page, by the use of output buffering? If some enough ppl on this list believe it's a good idea to pursue this, and don't think it will result in a big performance drop or anything, I'm keen to start work on it as an opensource project, hopefully with the support of this list to make sure it stays on the right track. On the other hand, there may be a huge flaw in my idea :D Justin French -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Re: emulating --enable-trans-sid -- project idea?
Justin French wrote: Hi all, About 2.30 in the morning I started kicking around an idea, based on the recent discussions on sessions, and what --enable-trans-sid did. From my understanding: + if there is no session cookie, set a cookie AND append a session ID to URLs on the first (session start) page + CREATE THAT PHP SESSION as soon as the sid is generated. And THEN redirect to self + on the next page, the session is carried, and it checks to see if the cookie set on the prev. page can be found - if it can, it now knows (presumably by setting a session var) that cookies are okay - if it can't, it assumes cookies are not avail, and it knows that the session must be appended to each URL + IF THE SESSION IS FOUND EXISTENT. It should, because you created it when generated the sid, before doing the redirect to self. Otherwise someone is spoofing. I've recently modified the PHPLIB behavior about session creation policy, to behave like this. The patch is commited and published at the project's site. + if the session ID must be appended, it waves a magic wand over every .php page and appends a session id... i GUESS through buffering or parsing the entire output. So, couldn't this be emulated by : + following the same set/check routine above + if needed, wave a magic wand over the output before it's sent to the page, by the use of output buffering? If some enough ppl on this list believe it's a good idea to pursue this, and don't think it will result in a big performance drop or anything, I'm keen to start work on it as an opensource project, hopefully with the support of this list to make sure it stays on the right track. On the other hand, there may be a huge flaw in my idea :D Justin French -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php