Hi all, Some users that have tested this patch asked me if it's possible deleting offending cookies that enable targeted DoS attack.
https://wiki.php.net/rfc/strict_sessions I would like to add patch that deletes offending cookies which may controlled by php.ini setting. I can try to delete possible offending cookies, but recent browsers only sent outstanding cookie. Therefore, it's impossible to know if it deleted all offending cookies was successfully deleted. This feature will be best effort based feature. I think the default setting for deleting cookies should be off by default, so that users could notice configuration problems. (i.e. cookie path/domain, session name) This patch eliminates session adoption/fixation, but introduces targeted DoS as I mentioned already. Even if it may not be possible to delete all malicious cookies, but it is worthwhile to have this feature. Any comments? Hannes, I could edit the page once, but "save" button is disabled for some reason. Could you check my karma? Thank you. -- Yasuo Ohgaki yohg...@ohgaki.net -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
