Hi,
I haven't looked in any detail at these functions, but wouldn't you be able to prevent fixation by inquiring whether a particular session was already started? -- rather than PHP's current (IMHO flawed) behavior where a new session is simply started with whatever session is is passed in.
beeing able to detect if a session was already started has nothing todo with session fixation attacks.
Session fixation means that you supply the user with a session id you know about. It doesn't make any difference if this session id was obtained by visiting the target site once, or by simply putting in a random one (that is then accepted by PHP).
(And any argument that one obtained by visiting the site would be bound to the attackers creds is invalid, because the same technique would catch new invalid sessions (because of no assigned creds))
And the behaviour of PHP is not flawed. For several systems it is vital, that the outside is able to set the session id. There is no reason to change that behaviour, because it doesn't stop any attack.
Yours, Stefan Esser
-- -------------------------------------------------------------------------- Stefan Esser [EMAIL PROTECTED] Hardened-PHP Project http://www.hardened-php.net/
GPG-Key gpg --keyserver pgp.mit.edu --recv-key 0x15ABDA78 Key fingerprint 7806 58C8 CFA8 CE4A 1C2C 57DD 4AE1 795E 15AB DA78 --------------------------------------------------------------------------
-- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
