On Wed, 2004-04-07 at 09:56, inodes wrote: > Hello, > > The PHP manual says it is the developer's job to ensure PHP sessions cannot > be stolen or "fixed" (this is called Session Fixation). > > To minimise the risk of session fixation, I wrote a patch for PHP-4.3.5 (I > can port it for the other versions too - just ask...), that makes (almost) > sure the current user IS the session creator. It is based on client IP > addresses. > > This patch is available at: http://www.trickytools.com/php/sesfixpatch.php > > If you think this could be useful, it could be improved and someday be part > of the official distro.
I remember reading in the forums before that using the request IP to "fixate" a session isn't practical since some ISPs (namely AOL) can have the request IP suddenly change between one request and another. Cheers, Rob. -- .------------------------------------------------------------. | InterJinn Application Framework - http://www.interjinn.com | :------------------------------------------------------------: | An application and templating framework for PHP. Boasting | | a powerful, scalable system for accessing system services | | such as forms, properties, sessions, and caches. InterJinn | | also provides an extremely flexible architecture for | | creating re-usable components quickly and easily. | `------------------------------------------------------------' -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
