Hi,
I haven't looked in any detail at these functions, but wouldn't you be able to prevent fixation by inquiring whether a particular session was already started? -- rather than PHP's current (IMHO flawed) behavior where a new session is simply started with whatever session is is passed in.
beeing able to detect if a session was already started has nothing todo with session fixation attacks.
Session fixation means that you supply the user with a session id you know about. It doesn't make any difference if this session id was obtained by visiting the target site once, or by simply putting in a random one (that is then accepted by PHP).
Sorry, perhaps this is just a vocabulary misunderstanding on my part. I thought "fixation" was explicitly providing the user with a fake but known session id (e.g. '1'), whereas "hijacking" is taking a valid id from another user.
And the behaviour of PHP is not flawed. For several systems it is vital, that the outside is able to set the session id. There is no reason to change that behaviour, because it doesn't stop any attack.
Seems to me that it would. If I can use XSS to get a user to click a link with PHPSESSID=1 in it, I know their session id and I don't have to concern myself with examining traffic, logs, or cookies. Am I wrong?
-Hans
-- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
