Electronics & Programming


Open Source electronics development and programming

  • You are not logged in.
  • Root
  • » PHP
  • » [PHP-DEV] Session Extension Strict Mode Patch [RSS Feed]

#1 Nov. 21, 2005 16:06:30

Stefan E.
Registered: 2009-11-02
Reputation: +  0  -
Profile   Send e-mail  

[PHP-DEV] Session Extension Strict Mode Patch

Hello again,

some of you may remember the discussions about our session extension
using a permissive mode for session id, which means that PHP accepts all
session IDs from the outside and not only those created by itself.

While I have repeatedly stated, that the strict_mode provides only
little additional protection against real world attacks (Yes there are
theoretical advantages of strict mode, but in nearly all cases it does
NOT offer additonal protection), I have created a little patch against
ext/session of PHP5.1 that provides the following new features.


session.use_strict_mode = 0/1 -> to disable or enable strict mode
checking in internal files/mm session handlers (currently it defaults to

session_set_save_handler - does now accept two more (optional) handlers
string create_sid()
bool validate_sid($key)

one can provide NULL as create_sid() handler to use the normal PHP
handler. In validate_sid() one can add his own detection of a given sid
is allowed (f.e. charset) or not. When a SID is not allowed, it will
create a new one through the create_sid() handler.

To implement all this, I had to add the validate_sid function to the
internal structure of session_modules. This means that the sqlite
session module has also to be patched to stay compatible.

The patch is for review at:http://www.suspekt.org/session_strict_mode.patchPlease comment on it. I will add this to the next version of my
Hardening-Patch and would like to sync my idea with what we can put into

Stefan Esser

Stefan Esser
Hardened-PHP Projecthttp://www.hardened-php.net/GPG-Key gpg --keyserver pgp.mit.edu --recv-key 0x15ABDA78
Key fingerprint 7806 58C8 CFA8 CE4A 1C2C 57DD 4AE1 795E 15AB DA78

PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit:http://www.php.net/unsub.php


  • Root
  • » PHP
  • » [PHP-DEV] Session Extension Strict Mode Patch [RSS Feed]

Board footer

Moderator control

Enjoy the 22nd of April

The Forums are managed by develissimo stuff members, if you find any issues or misplaced content please help us to fix it. Thank you! Tell us via Contact Options
Leave a Message
Welcome to Develissimo Live Support