-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Marc Delisle schrieb:
Garvin Hicking a écrit : Hi!
can't we implement some of the countermeasures as explained in section 5 of this document? For example, binding the legitimate user's IP address to our session data?
The most easy way to counter session fixation is to just perform a session_regenerate_id() after the login. This way, any "fixated" session will be changed to a random session ID after the credentials are entered.
Ok, but this would move our minimum PHP version to 4.3.2. Probably not too bad, see http://www.nexen.net/chiffres_cles/phpversion/php_statistics_for_april_2006....
you can do this without session_regenerate_id() too
But, as you say, there would still be the hijacking problem, so let's say that regenerating session id could be added in 2.9.x as an added security measure, not for allowing users to disable their cookies.
but we have no hijacking problem - the login is not stored in the session!
- -- Sebastian Mendel
www.sebastianmendel.de