--- Boyan Nedkov <[EMAIL PROTECTED]> wrote:
> > ... Short of any severe bugs in PHP's core, there is no way for a
> > user of your Web application to modify session data ...
>
> It seems that statement is not completely correct considering the topic
> discussed in the paper 'Session Fixation Vulnerability in Web-based
> Applications' (http://secinf.net/uplarticle/11/session_fixation.pdf).
Without reading that paper, I can guess that it explains session fixation.
This method of attack does not negate the above statement. It is still
your Web application that modifies the session data. A user can "trick"
your application in many different ways, but this is no different than:
$_SESSION['foo'] = $_GET['foo'];
Right there is a security vulnerability, and the user was able to modify
session data, but not without your help. This is the point.
Consider a hypothetical situation where all of the data in the session is
valid. Now, the user's next visit is to a page that begins like this
(substitute appropriate code for "is this valid"):
<?
if ($_GET['foo'] is valid data)
{
$foo = $_GET['foo'];
}
else
{
$foo = $_SESSION['foo'];
}
This is not a security vulnerability, nor does it present a risk (except
for the slight risk that your "is valid data" is broken). This is
basically the point. In general, session data is safe, simply because it
is data from the server and not data from the client. That's an important
difference, and it is something you can leverage to increase the security
of your applications.
Hope that helps.
Chris
=====
My Blog
http://shiflett.org/
HTTP Developer's Handbook
http://httphandbook.org/
RAMP Training Courses
http://www.nyphp.org/ramp
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
