31 May
2006
31 May
'06
8:21 a.m.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Garvin Hicking schrieb:
Hi!
can't we implement some of the countermeasures as explained in section 5 of this document? For example, binding the legitimate user's IP address to our session data?
The most easy way to counter session fixation is to just perform a session_regenerate_id() after the login. This way, any "fixated" session will be changed to a random session ID after the credentials are entered.
Binding an IP address should IMHO be prevented, it's just security by obscurity and no "real" mean against intrusion.
and is not possible, user may switch proxies between requests (AOL) and proxies does not always provide Forwarded-For headers.
- -- Sebastian Mendel
www.sebastianmendel.de
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (MingW32)
iD8DBQFEfZkLX/0lClpZDr4RAq+LAJ9iMqM9wU3ppksNm216rBI8Henk/ACggQVp
h/CWL2Dj7LOIVF4ui4/lZUI=
=ChHJ
-----END PGP SIGNATURE-----