Talk:Session fixation

From Wikipedia, the free encyclopedia
Jump to: navigation, search
WikiProject Computer Security / Computing  (Rated Start-class, High-importance)
WikiProject icon This article is within the scope of WikiProject Computer Security, a collaborative effort to improve the coverage of computer security on Wikipedia. If you would like to participate, please visit the project page, where you can join the discussion and see a list of open tasks.
Start-Class article Start  This article has been rated as Start-Class on the project's quality scale.
 High  This article has been rated as High-importance on the project's importance scale.
Taskforce icon
This article is supported by WikiProject Computing.
 
WikiProject Computing (Rated Start-class, Mid-importance)
WikiProject icon This article is within the scope of WikiProject Computing, a collaborative effort to improve the coverage of computers, computing, and information technology on Wikipedia. If you would like to participate, please visit the project page, where you can join the discussion and see a list of open tasks.
Start-Class article Start  This article has been rated as Start-Class on the project's quality scale.
 Mid  This article has been rated as Mid-importance on the project's importance scale.
 

Merger proposal[edit]

This topic is already mentioned on the Session_hijacking article and the two issues overlap greatly. It seems it would be easiest to deal with both at once. Blackthirteen 22:33, 25 September 2007 (UTC)

This article contains good examples and useful information. I fear that woudl be lost in a merger. This article should be kept as a drill-down page of Session Hijacking. --jodastephen (talk) 12:26, 16 April 2008 (UTC)

Session_hijacking is a distinctively different issue than this, it would be misleading to merge this. AlexLehm (talk) 18:43, 4 July 2008 (UTC)

6 months later and it has not been merged so I am going to remove the merge template and begin a copy-edit. —Preceding unsigned comment added by Glubbdrubb (talkcontribs) 14:45, 20 January 2009 (UTC)

Title[edit]

The title of this article has a typo. It should be Session Fixation.

Spelling and Grammar[edit]

I tried to polish this article's writing somewhat. I tried to eliminate as many adjectives as I could and clean up the "I am giving you a tutorial" tone of the article. Much remains to be done, of course. There needs to be more information and slightly less tutorial. However, I kept everything that was there in some form because, reading this for information, I found it helpful. Bluesprite 00:49, 8 April 2007 (UTC)

PHP use in article[edit]

A lot of the examples in this article make reference to the PHP language. I'd like to see one of the following: either (a) the code is rewritten in easy-to-read pseudocode, or (b) the code is fixed so it is syntatctically correct PHP. A Pattern O 04:13, 11 April 2006 (UTC)

I fixed the PHP a few hours ago, but pseudocode, or removing the examples entirely and making the article less of a howto, would be better. --Matt Nordhoff (talk) 08:07, 20 November 2006 (UTC)

Saldo?[edit]

In the sample attack, what the hell is a 'saldo' feature? Is that some kind of metasyntactic variable that I've never heard of? Audiodude 04:28, 8 May 2006 (UTC)

It is the Dutch word for balance, so I assume that's what it means.Bluesprite 00:11, 8 April 2007 (UTC)

PHP Wikibook on Sessions[edit]

The tutorial-style content from this article would be good to include in the PHP Wikibook: Wikibooks:Programming:PHP/sessions#Avoiding_Session_Fixation. —Sam Wilson (Australia) (talk) 23:36, 7 May 2008 (UTC)

The PHP code requires some fixes. Calling session_regenerate_id() after session_destroy() is useless, the session is already destroeyed, hency session_id() returns an empty string. Calling session_start() immediately after session_destroy() has almost the same effect, it generates a new session id. 14:43, 01 January 2009 (UTC) —Preceding unsigned comment added by 212.80.224.243 (talk)

Clarification[edit]

What exactly does this mean:

"However, session identifiers are often accepted from GET/POST as well on these standard systems."

I am trying to improve the grammar but I occasionally need to know what the author means. Please help. --Glubbdrubb (talk) 15:15, 20 January 2009 (UTC)

https://DiD/ ?[edit]

Could anyone explain why we are looking for this in $_SERVER['HTTP_REFERER'] in example in section "Defense in Depth"? It's possibly good idea to explain it in the actual article as well. Sadi (talk) 22:45, 2 March 2009 (UTC)

I'm sorry, could you explain your question? Sephiroth storm (talk) 00:11, 4 March 2009 (UTC)

Client IP in cookie?[edit]

Would it be a valid countermeasure to store client's IP in the cookie when the cookie is created, and on subsequent requests check that the client's IP matches the IP stored in the cookie?

'loose' IP check?[edit]

"A simple workaround to this, but by no means robust, is to carry out a 'loose' IP check whereby you can check the first three out of the four numbers within the IPv4 Address."

This is worthless. Whoever wrote this needs to read up on CIDR. They also need to read up on IPv4 address notation. An IP is just a number and can be represented many different ways. Even the dot notation has many different valid forms. For example: A.B.C.D and A.E can represent the same IP if E is a 24 bit number representing B.C.D. —Preceding unsigned comment added by 173.178.6.171 (talk) 16:31, 5 April 2011 (UTC)