Hi,
Sorry, perhaps this is just a vocabulary misunderstanding on my part. I thought "fixation" was explicitly providing the user with a fake but known session id (e.g. '1'), whereas "hijacking" is taking a valid id from another user.
yeah... Well you call it fake session id. But that is not exactly what session fixation means. It means you give the user a session ID he will ride with (and do not steal it from him).
ok.
But it makes no difference if you give him a completely fake one or if you visit the site once yourself and then use the session ID you got for the fixation.
I see your point, but I would still argue that being able to create an arbitrary, non-server-supplied session id is far more powerful -- primarly because it is not susceptible to session garbage collection on the server (i.e. the valid session id I get from the site will be invalid in gc_maxlifetime).
Now from last time we had this discussion, I seem to remember you saying that PHP is unable to determine whether a session id is new or not (because of how the session handlers work). If that's the case, then I understand that this is not a problem easy to address in PHP. I do still think it's a problem, however, that session ids in current default (i.e. without using session_regenerate_id()) implementation can be set by the client. I think PHP script authors should be in control of this aspect of their application's security -- i.e. being able to set IDs that cannot easily be brute-forced, etc.
-Hans
-- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
