[PHP] why manual says 'don't use session_register'?

2002-09-24 Thread Giancarlo Pinerolo
The manual has many cautions that say 'do not use session_regiister,, session_is_registered, session_unregister, when the ini setting is register_globals=off. But they still do work, it seems. Or how exactly do these function work differently than with reg_globals On? Can I still continue to us

Re: [PHP] disabled cookies and sessions

2002-06-08 Thread Giancarlo Pinerolo
Nick Wilson wrote: > > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > * and then Chris Sechiatano declared > > You have to code the PHPSESSID into your URL if your browser has cookies > > disabled or else it won't work. > > No. As I said, i have php compiled with --enable-trans-sid >

[PHP] Re: the ?PHPSESSID=spoofme 'bug'

2002-06-07 Thread Giancarlo Pinerolo
Giancarlo Pinerolo wrote: > > I myself wrote: > > > > Can I tell you more than what the subject says? > > proceeding: > > Close the browser, clean all your cookies, and open any page with that > > ?PHPSESSID=spoofme appended. > > And see what happens.

[PHP] Re: the ?PHPSESSID=spoofme 'bug'

2002-06-07 Thread Giancarlo Pinerolo
I myself wrote: > > Can I tell you more than what the subject says? > proceeding: > Close the browser, clean all your cookies, and open any page with that > ?PHPSESSID=spoofme appended. > And see what happens. > > 1) No cookies are left > 2) a session 'spoofme' is created > > Do you need more?

[PHP] the ?PHPSESSID=spoofme 'bug'

2002-06-07 Thread Giancarlo Pinerolo
Can I tell you more than what the subject says? proceeding: Close the browser, clean all your cookies, and open any page with that ?PHPSESSID=spoofme appended. And see what happens. 1) No cookies are left 2) a session 'spoofme' is created Do you need more? Javascript url injection ad cross site

[PHP] Re: emulating --enable-trans-sid -- project idea?

2002-06-07 Thread Giancarlo Pinerolo
Justin French wrote: > > Hi all, > > About 2.30 in the morning I started kicking around an idea, based on the > recent discussions on sessions, and what --enable-trans-sid did. > > From my understanding: > > + if there is no session cookie, set a cookie AND append a > session ID to URLs

[PHP] Re: emulating --enable-trans-sid -- project idea?

2002-06-06 Thread Giancarlo Pinerolo
Justin French wrote: > > Hi all, > > About 2.30 in the morning I started kicking around an idea, based on the > recent discussions on sessions, and what --enable-trans-sid did. > > From my understanding: > > + if there is no session cookie, set a cookie AND append a > session ID to URLs

[PHP] session security

2002-06-02 Thread Giancarlo Pinerolo
Why can a user force php to create a session he's giving the name in the URL? Do you want me to list an half a dozen ways to get rich now with this holes? Does anyone understand the malice of this? Anyone can offer you a click on a session he's going to visit later and hijack from you? Anyone can