-
-
Notifications
You must be signed in to change notification settings - Fork 2.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
PHP session handler ignores session.use_strict_mode #1033
Comments
Just for completeness sake, this would be the expected behavior:
1ma@werkbox:~$ http -v 127.0.0.1 Cookie:PHPSESSID=madeupkey
GET / HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
Connection: keep-alive
Cookie: PHPSESSID=madeupkey
Host: 127.0.0.1
User-Agent: HTTPie/0.9.6
HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, must-revalidate
Connection: close
Content-type: text/html; charset=UTF-8
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Host: 127.0.0.1
Pragma: no-cache
Set-Cookie: PHPSESSID=4v3lkha0emji0kk6lgl1lefsi1; path=/
You have visited us 1 times
1ma@werkbox:~$ ls -l /tmp
-rw------- 1 1ma 1ma 11 nov 25 13:50 sess_4v3lkha0emji0kk6lgl1lefsi1 |
What's the status? |
Should be fixed by #1351 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
overview of the problem
session.use_strict_mode prevents the user agent from setting its own key value for its session. However, when using the Redis session handler this setting is currently being ignored. Unfortunately this prevents a PHP application using the Redis session handler from protecting against session fixation attacks.
steps to reproduce
This has been tested against PHP 7.0.13, redis-server 3.2.5 and php-redis 3.0.0
The text was updated successfully, but these errors were encountered: