|
|
Posted by Jerry Stuckle on 03/09/07 03:38
tryit@yourself.com wrote:
> In article <cOGdneppj5NsbHHYnZ2dnUVZ_sqdnZ2d@comcast.com>,
> jstucklex@attglobal.net says...
>>>> That's what you don't get. www.example.com is NOT the same as
>>>> example.com.
>
> Yes it is - for any domain issued - denying that simple fact allows PHP
> to continue to ignore a security critical bug. A fact easily tested.
> Try going to any site with either and you get the same result unless
> its a very old domain. Nobody is now issued with a domain where those
> 2 addresses result in a different IP address. Nobody.
>
>
> Its exactly the same - as you yourself so rightly
> pointed out and thereby made the point yourself-
>
> the WWW is just a convention that means nothing in relation to the
> domain.
>
> However the rest of that string defines the domain.
>
> PHP using sessions constitutes a massive security hazard until this
> serious bug is fixed.
>
NO, NO, NO!!!
www.example.com IS NOT THE SAME as example.com. And neither is the same
as ftp.example.com, mail.example.com, gopher.example.com,
news.example.com, ad nauseum.
"www" is a CONVENTION to identify a website for a particular domain. It
MAY OR MAY NOT be the same as example.com.
I can EASILY (and have) set up domain registrations such that
example.com IS NOT the same as www.example.com. And neither is the same
as any of the others listed above.
www.example.com MAY point to example.com . BUT IT DOES NOT HAVE TO!
That is the key here. And to allow ANY cookie for example.com to be
sent to ANY SUBDOMAIN (or host, as the case may be) for example.com,
such as www.example.com, mail.example.com and so on, is a HUGE security
risk.
THIS IS NOT A PHP PROBLEM! It's not the internet works! That includes
ALL browsers - IE, Mozilla, Firefox, Opera and the rest. If your
"theory" is correct, then EVERYONE ELSE IS WRONG. And I don't think so.
Before you start talking about how you think it should be - you need to
find out how things really works.
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attglobal.net
==================
Navigation:
[Reply to this message]
|