-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Hi Marc!
The most easy way to counter session fixation is to just perform a session_regenerate_id() after the login. This way, any "fixated" session will be changed to a random session ID after the credentials are entered.
Ok, but this would move our minimum PHP version to 4.3.2. Probably not too bad, see http://www.nexen.net/chiffres_cles/phpversion/php_statistics_for_april_2006....
session_regenerate_id() can be emulated with session_start()...session_destroy()...session_start() commands for earlier versions, where you just copy the $_SESSION array to a temporary array, restart the session and be dealt with.
But, as you say, there would still be the hijacking problem, so let's say that regenerating session id could be added in 2.9.x as an added security measure, not for allowing users to disable their cookies.
Right, session fixation is only a (real)problem when URLs are used. So if we officially only support cookie-enabled sessions, the session regeneration would actually not even be necessary at all. But it would prevent possible future abuse having that in 2.9.x.
Best regards, Garvin
- -- ++ Garvin Hicking | Web-Entwickler [PHP] | www.garv.in | ICQ 21392242 ++ Developer of | www.phpMyAdmin.net | www.s9y.org
++ Make me happy | http://wishes.garv.in