lists at sebastianmendel.de
Tue Sep 27 05:06:53 CEST 2005
Garvin Hicking wrote:
> (I can only agree to what Michal said - it's only not implemented because nobody
> got down to do it)
>> If you're going to implement this, do not forget that sessions should
>> work also without cookies enabled.
> There is also a problem about which Marc and I talked in the past. We should not
> store sensitive information like passwords in sessions, as usually all session
> data can be accessed from untrusted users on the same webserver, as session
> files are readable for everyone usually.
securing session data/handling is part of the system not of the
application (like some days ago someone said window hijacking is part of
the browser not the app)
even with open_basedir disabled,
to open a file from the tmp dir you need the exact name, as normaly
listing dir contents is not allowed
and guessing the right session id is nearly impossible:
; Select a hash function
; 0: MD5 (128 bits)
; 1: SHA-1 (160 bits)
session.hash_function = 0
; Define how many bits are stored in each character when converting
; the binary hash data to something readable.
; 4 bits: 0-9, a-f
; 5 bits: 0-9, a-v
; 6 bits: 0-9, a-z, A-Z, "-", ","
session.hash_bits_per_character = 5
> Also we need to think about what bad can happen when someone hijacks your
> session id, or uses session fixation.
authentication information does not require to be stored in the session!
authentication system can stay as it is!
www.sf.net/projects/phpdatetime | www.sf.net/projects/phptimesheet
More information about the Developers