-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Marc Delisle schrieb:
Garvin Hicking a écrit : Hi!
can't we implement some of the countermeasures as explained in section 5 of this document? For example, binding the legitimate user's IP address to our session data?
The most easy way to counter session fixation is to just perform a session_regenerate_id() after the login. This way, any "fixated" session will be changed to a random session ID after the credentials are entered.
Ok, but this would move our minimum PHP version to 4.3.2. Probably not too bad, see http://www.nexen.net/chiffres_cles/phpversion/php_statistics_for_april_2006....
you can do this without session_regenerate_id() too
But, as you say, there would still be the hijacking problem, so let's say that regenerating session id could be added in 2.9.x as an added security measure, not for allowing users to disable their cookies.
but we have no hijacking problem - the login is not stored in the session! - -- Sebastian Mendel www.sebastianmendel.de -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3 (MingW32) iD8DBQFEfaYlX/0lClpZDr4RAmRgAJ44J3X8iPWSIJNBr4h55L27WQZSbQCgihr2 fU1kyrTtuRiDKNjS+9CZ5pQ= =d9NF -----END PGP SIGNATURE-----