News Feed
Jobs Feed
Sections




News Archive
Stefan Esser's Blog:
What site do you want to break today?
by Chris Cornutt June 18, 2007 @ 08:48:00

In a new post to the PHP Security Blog, Stefan Esser points out a recent commit to the PHP core as a fix to the session handling in PHP:

I just came back home and saw a very recent commit to PHP's session management. It is another attempt to fix the session cookie attribute injection that the PHP developers already tried to fix in PHP 5.2.3 without giving any credits. [...] their new fix that consists of blacklisting a bunch of legal characters from the session id, will most probably result in hundreds or thousands of broken sites.

Stefan points out that the fix blocks several valid characters that sites could potentially use in their session IDs, and that with this new code in place, it could drastically effect those site's functionality.

As of the time of this post, however, it seems that the issue has been recognized and corrected so as not to cause the above mentioned issue in future updates.

0 comments voice your opinion now!
session bugfix commit illegal character session bugfix commit illegal character


blog comments powered by Disqus

Similar Posts

PHP.net: PHP 5.4.0RC3 Released!

Richard Thomas' Blog: Improving PHP Sessions

Zend Developer Zone: The ZendCon Sessions Episode 7: High Performance PHP & MySQL Scaling Techniques

DevShed: Storing PHP Sessions in a Database

PHPMaster.com: Writing Custom Session Handlers


 Community Events











Don't see your event here?
Let us know!

code community framework opinion database phpunit api testing release introduction interview series application example zendframework2 podcast language development functional composer

All content copyright, 2013 PHPDeveloper.org :: info@phpdeveloper.org - Powered by the Solar PHP Framework