Session Fixation Vulnerability in Web Based Apps
Nick Popoff
cryptic-wasabi at bloodletting.com
Tue Jun 17 21:19:38 EDT 2003
On Tue, 17 Jun 2003, Ian Grigg wrote:
> does anyone know how the easy way to secure a PHP website against
> session_fixation?
I noticed that the PHP documentation includes a new section on session
insecurity and a link to the paper on session fixation.
http://www.php.net/manual/en/ref.session.php
The latest version of PHP (4.3.2) includes a new function which should be
called by your login processing page as soon as you mark the session as
logged in to generate a new session ID. That should solve the session
fixation problem since any previous session is discarded by this function.
http://www.php.net/manual/en/function.session-regenerate-id.php
Unfortunately it does seem that anyone using the PHP session generator is
vulnerable until they apply this change. I suspect the PHP mailing lists
have been buzzing about this. Further discussion of PHP should probably
go there rather than here.
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list