Hello,
The PHP manual says it is the developer's job to ensure PHP sessions cannot
be stolen or "fixed" (this is called Session Fixation).
To minimise the risk of session fixation, I wrote a patch for PHP-4.3.5 (I
can port it for the other versions too - just ask...), that makes (almost)
sure the
I agree with all your arguments: the IP-base solution IS NOT perfect.
It is not generic enough to be implemented in world-wide application, but it
can be useuful for intranet or extranets. That's to say cases when you know
the infrastructure used by the clients to connect to your server support
th
Sasha suggests me to implement these checkings in my script: IMHO that's not
the good strategy.
You guys are probably good programmers, but my experience shows me that the
"standard" PHP developper is not aware of security problems or he/she has
not the time to finalize the scripts (time is money.
It is obvious my proposal is considered as a very bad idea to most of view
;-)
But my goal is not to ask for a definitive patch for PHP, so I probably made
a mistake by posting the initial message in this mailing list...
I just offer this patch for admins who manage applications developped by
oth
