Regenerate session id only on impossible level #636
Conversation
|
I've just checked and it looks good. Could you add a comment around this to explain that it is allowing session fixation by only changing the session name on the impossible level. |
|
Sorry, I'm not sure what you mean. Impossible level will prevent session fixation by regenerating the session id, other levels will not and will keep the existing id. Do you want me to add this kind of comment? |
|
Just update your code comment to say why the code is like it is, why the lower levels are reusing the session name so that session fixation becomes an issue but for impossible we create a new name so fixation isn't possible. So that people reviewing the code can understand what is going on. |
|
There you go. Is that alright? (First time contributing to a public project, so I apologize for any inconvenience) |
|
Just to be really picky, can you remove the space before the comment on line 68, after that, it is ready to go. It is all really good and thanks for the submission. I don't know if anyone uses the session fixation attack, but we know it is there. |
|
Sure. Removed one on line 97 also and an extra new line on 45. |
|
Brilliant, thanks. |
To force a new Set-Cookie header in order to update the flags, a call to session_regenerate_id() is made.
This prevents session fixation attacks.
This commit only regenerate the id if the level is impossible.
Otherwise, session_id() is called, with the current id if it exists, which will also force a Set-Cookie header, with the correct flags.