On Apr 7, 2004, at 10:17 AM, Robert Cummings wrote:
On Wed, 2004-04-07 at 09:56, inodes wrote:Hello,
The PHP manual says it is the developer's job to ensure PHP sessions cannot
be stolen or "fixed" (this is called Session Fixation).
To minimise the risk of session fixation, I wrote a patch for PHP-4.3.5 (I
can port it for the other versions too - just ask...), that makes (almost)
sure the current user IS the session creator. It is based on client IP
addresses.
This patch is available at: http://www.trickytools.com/php/sesfixpatch.php
If you think this could be useful, it could be improved and someday be part
of the official distro.
I remember reading in the forums before that using the request IP to
"fixate" a session isn't practical since some ISPs (namely AOL) can have
the request IP suddenly change between one request and another.
Yes, this behavior is quite common for many of the large ISPs.
George
-- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
