php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Request #9170 session_start() session_resume() session_create()
Submitted: 2001-02-08 04:23 UTC Modified: 2002-01-28 19:58 UTC
From: sivasubraj at lycosmail dot com Assigned:
Status: Not a bug Package: Feature/Change Request
PHP Version: 4.0.4pl1 OS: linux
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: sivasubraj at lycosmail dot com
New email:
PHP Version: OS:

 

 [2001-02-08 04:23 UTC] sivasubraj at lycosmail dot com
WARNING: possible exploitation
When a client requests a PHPSESSID that doesn't exists on the server, session_start() creates one with the same SID. In this manner the client could write a SID of his choice, even a long one or a dangerous one. Or more commonly, an HTTP cache somewhere could send a previously used phpsessid but that was closed. 
If session_start() creates a (previously closed) phpsession with the same sid specified by the client, some ugly effects could happen. 

Please make a new function, session_resume() that tries to resume phpsession, but never to create new one. Viceversa, session_create() should be able only to create.

session_resume($sid) : return TRUE when the specified session exists and thus is correctly resumed, FALSE otherwise.
session_create($sid) : retun TRUE when a non-existent session is correctly created, FALSE otherwise

In this manner I could code in this manner: 

if (isset($HTTP_GET_VARS['session_id'])) {
         $sid = $HTTP_GET_VARS['session_id'])

} else if (isset($HTTP_POST_VARS['session_id'])) {
         $sid = $HTTP_POST_VARS['session_id'])

} else if (isset($HTTP_COOKIE_VARS['session_id'])) {
         $sid = $HTTP_COOKIE_VARS['session_id'])

};

if (isset($sid)) {          // the client requests to resume a session
         $ok = session_resume( $sid );
         if (!$ok) { 
	  session_create(); // with a NEW random sid
	 };      

} else {
         session_create();  

};

Alternatively, it would be nice if there is a new function, say session_nstart that resumes existent phpsession returning "resumed", otherwise creates a new session  *with a different sid*, returning "new".

It is very important for me, thanks!
regards, siva

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2002-01-28 19:58 UTC] yohgaki@php.net
I made this bogus, please ask why in php-general.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Sat Dec 21 15:01:29 2024 UTC