|
|
Posted by Gordon Burditt on 03/09/07 02:58
>> >> That's what you don't get. www.example.com is NOT the same as
>> >> example.com.
>>
>
>Yes it is - for any domain issued - denying that simple fact allows PHP
>to continue to ignore a security critical bug. A fact easily tested.
Why is this a security bug, whereas a user being able to erase his
session cookie at any time and start a new session ISN'T just as
bad a security bug? Oh, yes, the user can also fiddle with the
HOSTS file so example.com and www.example.com point at different
places *for his browser* even if they don't for the rest of the
world.
There are a number of things PHP does not deal with. Power failures,
for one thing. A lot of the reason PHP does not deal with power
failures is that there's nothing it can do about them.
The same applies to sessions. If the browser doesn't send a session
cookie because the hostname is different, PHP has no way to know
if it was part of a session. There's no way for PHP to fix this,
short of a mind-reading protocol. Even that wouldn't work unless
browsers were made intelligent enough to have a mind to read.
>Try going to any site with either and you get the same result unless
>its a very old domain. Nobody is now issued with a domain where those
>2 addresses result in a different IP address. Nobody.
A domain is not *issued* with any DNS records at all, other than
NS records pointing at the DNS hosting company the domain owner is
using. And remember, DNS has been around for a long time before
anyone even thought up www. The DNS records for a domain are up
to the owner of that domain, although this is often done with the
advice of techs for the company that hosts the DNS for the domain
(web hosting companies, usually) who are usually NOT the same as
the companies issuing domains (Network Solutions, Register.com,
GoDaddy, etc.)
Did you know that there are domains without any web site at all?
Some just use it for mail. Or for giving host names to all their
dial-modems and customer DSL lines.
>Its exactly the same - as you yourself so rightly
>pointed out and thereby made the point yourself-
>
>the WWW is just a convention that means nothing in relation to the
>domain.
>
>However the rest of that string defines the domain.
It is common for there to be multiple web sites in the same domain
with totally different content. Check out www.microsoft.com and
support.microsoft.com.
>PHP using sessions constitutes a massive security hazard until this
>serious bug is fixed.
The same so-called "bug" exists even if you uninstall PHP.
[Back to original message]
|