Andi
At 10:09 AM 4/8/2004 +0200, inodes wrote:
It is obvious my proposal is considered as a very bad idea to most of view ;-)
But my goal is not to ask for a definitive patch for PHP, so I probably made a mistake by posting the initial message in this mailing list...
I just offer this patch for admins who manage applications developped by others (subcontractors for example).
There are plenty of badly coded PHP apps and nodoby has time to fix them, so if administrators want to minimize security risks, they can:
1-audit & rewrite the code 2-strengthen the underlying engine (aka PHP)
My patch is just a simple way to reenforce the security without changing any line of code. Of course, there is a risk of loosing sessions if legitimate users have their IP address dynamically changed. And of course, IP address checking does not protect users behind a proxy or a NAT gateway, against their "colleagues".
But sometimes, the IP checking can be sufficient and won't produce any side-effect. Let the admins try and decide if it fits their apps.
Furthermore, I added other controls based on the HTTP headers sent by the browser (this also reduces the risk of session fixation), and the IP address test can take the IP classes (A,B and C) in account.
Official patches or changes required by users (like me) *must* perfectly solve a problem, and this patch is far from perfect, so...
Jerome
-- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
-- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
