Re: session_start() and a bad guy

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Wed, 19 Feb 2014 19:21:06 +0000, Stuart Dallas wrote
> On 19 Feb 2014, at 16:26, Vernon Nemitz <vnemitz@xxxxxxxx> wrote:
> 
> > On Wed, 19 Feb 2014 15:21:51 +0000, Stuart Dallas wrote
> >> On 19 Feb 2014, at 14:04, Vernon Nemitz <vnemitz@xxxxxxxx> wrote:
> >> 
> >>> Thank you for your feedback.
> >>> One of the other people who responded to my original message
> >>> indicated that in version 5.5.2 of PHP, a new initialization
> >>> thing was added, session.use_strict_mode
> >>> This will ignore the session ID in a URL, if the specified
> >>> session-file does not exist.  Instead, a new session file
> >>> and ID will be created.
> >> 
> >> Great, fine, lovely, except that it only has one effect: it prevents 
> >> "bad guy" from choosing the name of his session. He will still be 
> >> able to create an empty session by specifying a non-existent session 
> >> ID when he makes the request. I really [WINDOWS-1252?][WINDOWS-
1252?]don?t see what 
> >> use_strict_mode gives you for the situation you described.
> >> 
> >> -Stuart
> > 
> > Well, it makes no sense for the bad guy to send a "desired" session
> > ID to the server if it will always be ignored.  That is, he might
> > as well just go along with the normal usage that everyone else
> > does, to get a session ID.  It seems to me that that qualifies as
> > a first step in not letting the bad guy get what he wants.
> 
> But you still haven't answered the question. What does "bad guy" get 
> from having his "desired" session ID used instead of one that's 
> randomly assigned? Where's the benefit for him?
> 
> Any "bad guy" worth the name would know this doesn't give him 
> anything, so he won't bother. Why do you think he'd bother?
> 
I don't know everything about the strengths and weaknesses of PHP.
One thing I've wondered about is the range of normal session IDs.
When a webmaster decides to use "levels" of directories for storing
the session files, the names of those directories range from 0-9
and from a-v.  I don't know why "w-z" are not used.  If the bad
guy can create his own session ID, then perhaps he could make the
web server burp on an ID that begins with "x".  Just as a start
for other mischief.  The primary assumption is that the bad guy
DOES know all the strengths and weaknesses of PHP.


-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php





[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux