[13666] in cryptography@c2.net mail archive
Re: Session Fixation Vulnerability in Web Based Apps
daemon@ATHENA.MIT.EDU (Nick Popoff)
Wed Jun 18 08:16:35 2003
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
Date: Tue, 17 Jun 2003 18:19:38 -0700 (PDT)
From: Nick Popoff <cryptic-wasabi@bloodletting.com>
To: Ian Grigg <iang@systemics.com>
Cc: "cryptography@metzdowd.com" <cryptography@metzdowd.com>
In-Reply-To: <3EEF93FB.46AF2EB1@systemics.com>
On Tue, 17 Jun 2003, Ian Grigg wrote:
> does anyone know how the easy way to secure a PHP website against
> session_fixation?
I noticed that the PHP documentation includes a new section on session
insecurity and a link to the paper on session fixation.
http://www.php.net/manual/en/ref.session.php
The latest version of PHP (4.3.2) includes a new function which should be
called by your login processing page as soon as you mark the session as
logged in to generate a new session ID. That should solve the session
fixation problem since any previous session is discarded by this function.
http://www.php.net/manual/en/function.session-regenerate-id.php
Unfortunately it does seem that anyone using the PHP session generator is
vulnerable until they apply this change. I suspect the PHP mailing lists
have been buzzing about this. Further discussion of PHP should probably
go there rather than here.
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
