Jordi Canals wrote: > On Fri, 21 Jan 2005 09:43:38 -0800 (PST), Richard Lynch <ceo@xxxxxxxxx> > wrote: > >> Thus my point remains: >> On a shared server, I don't need to resort to calling this function to >> hijack your Cookie/session. PHP can read the raw session files. I can >> write a PHP script to read the raw session files, regardless of what >> directory the Cookie is set to use to store/retrieve the Cookie whose >> purpose is to identify those files. >> >> This is not something you can "fix" in any real-world scenario where it >> matters. > > Of course you can fix it! You can change your sessions handler and > save your session data in a database. For that you can use the > session_set_save_handler(). The OP ruled out a database session very very early on in the thread. He also has only just now mentioned that he's using suexec and/or cgi, so PHP runs as a specific user. So, now, the problem, as I understand it, boils down to: User A, running via suexec and session_set_cookie_params() can set a Cookie in User B's Cookie "realm" also running via suexec. So User A can hijack User B's cookies, even though they can't read the session files directly. Oddly enough, my answer remains the same: If you don't have a high enough level of trust between A and B, then a shared server environment is INAPPROPRIATE and they should get dedicated servers. I really don't *CARE* if you are talking about COOOOOOKIES or sessions or the Cookies used by sessions, or the server path that the browser will read/send Cookies to/from for the Cookies used by sessions, my answer remains the same: If you don't have a high enough level of trust between A and B, then a shared server environment is INAPPROPRIATE and they should get dedicated servers. It's called a "shared" server for a reason -- The users share things. If your users can't share nicely, they shouldn't be on a shared server. Duh. Even if you somehow hacked session_set_cookie_params to disallow setting values to "Bad" data -- perhaps using some php.ini directives or httpd.conf settings to segregate the Cookie realms (paths) you've only changed one drop in an ocean: They still share a server, and have the ability to damage each other. [shrug] That said: If anybody wants to fix this, go right ahead and code up some new directives in php.ini and/or httpd.conf so that PHP can "know" what are allowed values for session_set_cookier_params() for any given user. That's what OpenSource is all about. -- Like Music? http://l-i-e.com/artists.htm -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
