Yes, you are right, it was my misunderstanding, sorry guys.
Anyway, hope that posting was useful concerning the subject of the discussion.
Boyan --
CPT John W. Holmes wrote:
From: "Boyan Nedkov" <[EMAIL PROTECTED]>
[snip] > ... Short of any severe bugs in PHP's core, there is no way for a > user of your Web application to modify session data ... [/snip]
It seems that statement is not completely correct considering the topic discussed in the paper 'Session Fixation Vulnerability in Web-based Applications' (http://secinf.net/uplarticle/11/session_fixation.pdf). I am also interested in the session security issue so any comments on that publication are welcome.
No, the statement is still correct. The paper discusses how malicious users could possibly set the SESSION_ID to a predetermined value and then hijack the session because they know it's value. They still cannot directly change session variables that your script is creating.
In order to combat session fixation, use the session_regenerate_id() function: http://us2.php.net/manual/en/function.session-regenerate-id.php
---John Holmes...
-- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
