Hi,
I would prefer to make the attacker grab a valid session ID from me rather than simply allowing them to generate their own random one. It would simply mean the attacker would need a slightly more complex script to automate attacks. As well as applying a possible time frame the attack is valid for. Which isn't a bad thing IMO.
Sorry but I must comment on this argument again. I hear often, that requiring the attacker to use a valid session ID will give the whole attack a certain time frame.
Sorry but this argument forgets how a typical attack works:
1) give user a "fixed" session
2) wait a certain amount of time to check if he visited the site with this session
3) test the sesssion ID on the site...
4) wait again
5) repeat 3-4 until the user used the site...
So you see, that there is always a time frame. Even when the attacker uses a random one, because he can never know when his victim will visit the site with this session id....
So he has to visit the site at some point and check if the session was started and at this point he will start the session. If he does the visit too early he will create the session instead of the victim, if he visits too late, he will only end up in the expired session of the victim.
So in both cases the attacker has to visit the site f.e. every 30 minutes so that the session id does not time out. So all you get from allowing fake session ID is that the attacker has to connect one time less.
Which proofs my point that the whole panic about fake session id forgets how the real attackers have to work anyway...
Stefan
-- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
