|
|
php.net | support | documentation | report a bug | advanced search | search howto | statistics | random bug | login |
PatchesPull RequestsHistoryAllCommentsChangesGit/SVN commits
[2002-01-28 19:58 UTC] yohgaki@php.net
|
|||||||||||||||||||||||||||
Copyright © 2001-2024 The PHP GroupAll rights reserved. |
Last updated: Sun Oct 27 16:01:27 2024 UTC |
WARNING: possible exploitation When a client requests a PHPSESSID that doesn't exists on the server, session_start() creates one with the same SID. In this manner the client could write a SID of his choice, even a long one or a dangerous one. Or more commonly, an HTTP cache somewhere could send a previously used phpsessid but that was closed. If session_start() creates a (previously closed) phpsession with the same sid specified by the client, some ugly effects could happen. Please make a new function, session_resume() that tries to resume phpsession, but never to create new one. Viceversa, session_create() should be able only to create. session_resume($sid) : return TRUE when the specified session exists and thus is correctly resumed, FALSE otherwise. session_create($sid) : retun TRUE when a non-existent session is correctly created, FALSE otherwise In this manner I could code in this manner: if (isset($HTTP_GET_VARS['session_id'])) { $sid = $HTTP_GET_VARS['session_id']) } else if (isset($HTTP_POST_VARS['session_id'])) { $sid = $HTTP_POST_VARS['session_id']) } else if (isset($HTTP_COOKIE_VARS['session_id'])) { $sid = $HTTP_COOKIE_VARS['session_id']) }; if (isset($sid)) { // the client requests to resume a session $ok = session_resume( $sid ); if (!$ok) { session_create(); // with a NEW random sid }; } else { session_create(); }; Alternatively, it would be nice if there is a new function, say session_nstart that resumes existent phpsession returning "resumed", otherwise creates a new session *with a different sid*, returning "new". It is very important for me, thanks! regards, siva