|WikiProject Computer Security / Computing||(Rated Start-class, High-importance)|
|WikiProject Computing||(Rated Start-class, Mid-importance)|
This topic is already mentioned on the Session_hijacking article and the two issues overlap greatly. It seems it would be easiest to deal with both at once. Blackthirteen 22:33, 25 September 2007 (UTC)
This article contains good examples and useful information. I fear that woudl be lost in a merger. This article should be kept as a drill-down page of Session Hijacking. --jodastephen (talk) 12:26, 16 April 2008 (UTC)
6 months later and it has not been merged so I am going to remove the merge template and begin a copy-edit. —Preceding unsigned comment added by Glubbdrubb (talk • contribs) 14:45, 20 January 2009 (UTC)
The title of this article has a typo. It should be Session Fixation.
Spelling and Grammar
I tried to polish this article's writing somewhat. I tried to eliminate as many adjectives as I could and clean up the "I am giving you a tutorial" tone of the article. Much remains to be done, of course. There needs to be more information and slightly less tutorial. However, I kept everything that was there in some form because, reading this for information, I found it helpful. Bluesprite 00:49, 8 April 2007 (UTC)
PHP use in article
A lot of the examples in this article make reference to the PHP language. I'd like to see one of the following: either (a) the code is rewritten in easy-to-read pseudocode, or (b) the code is fixed so it is syntatctically correct PHP. A Pattern O 04:13, 11 April 2006 (UTC)
- I fixed the PHP a few hours ago, but pseudocode, or removing the examples entirely and making the article less of a howto, would be better. --Matt Nordhoff (talk) 08:07, 20 November 2006 (UTC)
It is the Dutch word for balance, so I assume that's what it means.Bluesprite 00:11, 8 April 2007 (UTC)
The tutorial-style content from this article would be good to include in the PHP Wikibook: Wikibooks:Programming:PHP/sessions#Avoiding_Session_Fixation. —Sam Wilson (Australia) (talk) 23:36, 7 May 2008 (UTC)
- The PHP code requires some fixes. Calling session_regenerate_id() after session_destroy() is useless, the session is already destroeyed, hency session_id() returns an empty string. Calling session_start() immediately after session_destroy() has almost the same effect, it generates a new session id. 14:43, 01 January 2009 (UTC) —Preceding unsigned comment added by 184.108.40.206 (talk)
What exactly does this mean:
"However, session identifiers are often accepted from GET/POST as well on these standard systems."
Could anyone explain why we are looking for this in $_SERVER['HTTP_REFERER'] in example in section "Defense in Depth"? It's possibly good idea to explain it in the actual article as well. Sadi (talk) 22:45, 2 March 2009 (UTC)
Would it be a valid countermeasure to store client's IP in the cookie when the cookie is created, and on subsequent requests check that the client's IP matches the IP stored in the cookie?
'loose' IP check?
"A simple workaround to this, but by no means robust, is to carry out a 'loose' IP check whereby you can check the first three out of the four numbers within the IPv4 Address."
This is worthless. Whoever wrote this needs to read up on CIDR. They also need to read up on IPv4 address notation. An IP is just a number and can be represented many different ways. Even the dot notation has many different valid forms. For example: A.B.C.D and A.E can represent the same IP if E is a 24 bit number representing B.C.D. —Preceding unsigned comment added by 220.127.116.11 (talk) 16:31, 5 April 2011 (UTC)