Vernon Nemitz wrote: > On Tue, 18 Feb 2014 18:01:02 +0100, Christoph Becker wrote >> Vernon Nemitz wrote: >> >>> But what actually happens is that session_start() creates >>> a brand-new session-data-file using the ID that had been >>> supplied in the URL. Our bad guy now has his own private >>> session started! >> >> What is not a problem per se (unless your authorization check depends >> solely on the fact that a session exists, what would be very bad). The >> only problem with this is that it makes session fixation attacks easier. >> If you don't want to deal with session_regenerate_id() (or don't >> consider it safe enough), you can enable session.use_strict_mode. > > "session.use_strict_mode specifies whether the module will use strict session > id mode. If this mode is enabled, the module does not accept uninitialized > session ID. If uninitialized session ID is sent from browser, new session ID > is sent to browser. Applications are protected from session fixation via > session adoption with strict mode. Defaults to 0 (disabled)." > > This sounds very much like what I was looking for! I need to experiment with > it to be sure, of course. Thank you! You're welcome. But note, that this ini setting is available only since PHP 5.5.2 (I wasn't aware of that when I replied). And please reply to the mailing list also (CC) -- other readers might be interested in the discussion. -- Christoph M. Becker -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
