NYCPHP Meetup

[Jerry Kapron]

Ed,

> From: Nunez, Eddy <enunez at tiaa-cref.org>
>
>Why do you do this?
>Doesn't PHP 4.2.x and higher create session ids properly?
>Or do you need a specific id for your specific circumstance?



I do this to prevent session hijacking. This trick changes the session id while preserving the session's persistence.
However, unconditional use this snippet can cause some problems.  For example, using the browser's reload/refresh button on a client with cookies disabled may cause the session to be lost.  I use this code as a part of a larger and knotty session security algorithm and hope that the new session_regenerate_id() will do a much better job.

Cheers,
Jerry

--
42.7% of all statistics are made the spot. 

>-Ed




>-----Original Message-----
>From: Jerry Kapron [mailto:nyphp at newageweb.com]
>Sent: Thursday, May 29, 2003 9:49 AM
>To: NYPHP Talk
>Subject: Re: [nycphp-talk] PHP 4.3.2 released
>
>
>I can't find anything on the new session_regenerate_id() finction yet.
>However if it does what I think it does, here is what I've been using in
>it's place:
>
>// at this point the session is already open
>$tmp_SESSION = $_SESSION;
>session_unset();
>session_destroy();
>
>session_id(
>md5(microtime().$_SERVER['REMOTE_ADDR'].$_SERVER['HTTP_USER_AGENT']));
>session_start();
>$_SESSION = $tmp_SESSION;
>unset($tmp_SESSION);
>
>
>Cheers,
>Jerry
>--
>42.7% of all statistics are made up on the spot. 
>
>
>-----Original Message-----
>From: Daniel Kushner <nyphp at websapp.com>
>To: NYPHP Talk <talk at nyphp.org>
>Date: Thursday, May 29, 2003 8:42 AM
>Subject: [nycphp-talk] PHP 4.3.2 released
>
>
>>After a lengthy QA process, PHP 4.3.2 is finally out!
>>This maintenance release solves a lot of bugs found in earlier PHP versions
>>and is a *strongly* recommended upgrade for all users of PHP.
>>
>>PHP 4.3.2 contains, among others, following important fixes, additions and
>>improvements:
>>
>>- Fixes several potentially hazardous integer and buffer overflows.
>>- Fixes for several 64-bit problems.
>>- New Apache 2.0 SAPI module (sapi/apache2handler, enabled
>>with --with-apxs2).
>>- New session_regenerate_id() function. (Important feature against
>malicious
>>session planting).
>>- Improvements to dba extension.
>>- Improvements to thttpd SAPI module.
>>- Dropped support for GDLIB version 1.x.x (php_gd.dll) on Windows.
>>- An unix man page for CLI version of PHP.
>>- New "disable_classes" php.ini option to allow administrators to disable
>>certain classes for security reasons.
>>- ..and a HUGE amount of other bug fixes!
>>
>>For a full list of changes in PHP 4.3.2, see the NEWS file.
>>(http://www.php.net/ChangeLog-4.php).
>>
>>
>>
>>Best,
>>Daniel Kushner
>>Vice President, New York PHP
>>http://nyphp.org/
>>daniel at nyphp.org
>>
>>
>>
>>
>>
>>
>>
>
>
>
>
>
>
>
>**********************************************************************
>This message, including any attachments, contains confidential information intended for a specific individual and purpose, and is protected by law.  If you are not the intended recipient, please contact sender immediately by reply e-mail and destroy all copies.  You are hereby notified that any disclosure, copying, or distribution of this message, or the taking of any action based on it, is strictly prohibited.
>TIAA-CREF
>**********************************************************************
>
>
>--- Unsubscribe at http://nyphp.org/list/ ---
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nyphp.org/pipermail/talk/attachments/20030530/8710f0c2/attachment.html>