php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Request #9170 session_start() session_resume() session_create()
Submitted: 2001-02-08 04:23 UTC Modified: 2002-01-28 19:58 UTC
From: sivasubraj at lycosmail dot com Assigned:
Status: Not a bug Package: Feature/Change Request
PHP Version: 4.0.4pl1 OS: linux
Private report: No CVE-ID: None
View Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
If you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: sivasubraj at lycosmail dot com
New email:
PHP Version: OS:

 

 [2001-02-08 04:23 UTC] sivasubraj at lycosmail dot com
WARNING: possible exploitation
When a client requests a PHPSESSID that doesn't exists on the server, session_start() creates one with the same SID. In this manner the client could write a SID of his choice, even a long one or a dangerous one. Or more commonly, an HTTP cache somewhere could send a previously used phpsessid but that was closed. 
If session_start() creates a (previously closed) phpsession with the same sid specified by the client, some ugly effects could happen. 

Please make a new function, session_resume() that tries to resume phpsession, but never to create new one. Viceversa, session_create() should be able only to create.

session_resume($sid) : return TRUE when the specified session exists and thus is correctly resumed, FALSE otherwise.
session_create($sid) : retun TRUE when a non-existent session is correctly created, FALSE otherwise

In this manner I could code in this manner: 

if (isset($HTTP_GET_VARS['session_id'])) {
         $sid = $HTTP_GET_VARS['session_id'])

} else if (isset($HTTP_POST_VARS['session_id'])) {
         $sid = $HTTP_POST_VARS['session_id'])

} else if (isset($HTTP_COOKIE_VARS['session_id'])) {
         $sid = $HTTP_COOKIE_VARS['session_id'])

};

if (isset($sid)) {          // the client requests to resume a session
         $ok = session_resume( $sid );
         if (!$ok) { 
	  session_create(); // with a NEW random sid
	 };      

} else {
         session_create();  

};

Alternatively, it would be nice if there is a new function, say session_nstart that resumes existent phpsession returning "resumed", otherwise creates a new session  *with a different sid*, returning "new".

It is very important for me, thanks!
regards, siva

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2002-01-28 19:58 UTC] yohgaki@php.net
I made this bogus, please ask why in php-general.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Tue Dec 10 04:01:27 2024 UTC