rfc:precise_session_management
Differences
This shows you the differences between two versions of the page.
| Both sides previous revisionPrevious revisionNext revision | Previous revision | ||
| rfc:precise_session_management [2016/03/09 11:30] – Fix wrong function mentioned. yohgaki | rfc:precise_session_management [2017/09/22 13:28] (current) – external edit 127.0.0.1 | ||
|---|---|---|---|
| Line 5: | Line 5: | ||
| * Date Updated: 2016-01-29 | * Date Updated: 2016-01-29 | ||
| * Author: Yasuo Ohgaki < | * Author: Yasuo Ohgaki < | ||
| - | * Status: | + | * Status: |
| * First Published at: http:// | * First Published at: http:// | ||
| * Renamed: https:// | * Renamed: https:// | ||
| Line 266: | Line 266: | ||
| https:// | https:// | ||
| - | === Why this is secure than now === | + | === Why this is more secure than now === |
| Currently, users must call session_regenerate_id(FALSE) to have relatively stable session. Therefore, old session data is valid as long as it is accessed even if it should be discarded as invalid session. Attackers can take advantage of this behavior to keep stolen session forever, disabling GC by periodic access to stolen session. | Currently, users must call session_regenerate_id(FALSE) to have relatively stable session. Therefore, old session data is valid as long as it is accessed even if it should be discarded as invalid session. Attackers can take advantage of this behavior to keep stolen session forever, disabling GC by periodic access to stolen session. | ||
| Line 427: | Line 427: | ||
| Vote starts 2016-03-09-09: | Vote starts 2016-03-09-09: | ||
| - | <doodle title=" | + | <doodle title=" |
| * Yes | * Yes | ||
| * No | * No | ||
rfc/precise_session_management.1457523047.txt.gz · Last modified: 2017/09/22 13:28 (external edit)