Postponed (maintainer needs more info)
Project:
Secure Pages Hijack Prevention
Version:
6.x-1.1
Component:
Code
Priority:
Normal
Category:
Feature request
Assigned:
Unassigned
Reporter:
Created:
12 Feb 2009 at 18:53 UTC
Updated:
26 Nov 2010 at 14:56 UTC
Comments
Comment #1
grendzy commentedInteresting idea. It might be possible; I think the approach would be to regenerate the session the first time an SSL page is visited. That way the old session becomes invalid, and the new session is protected.
Comment #2
agentrickardOr simply set a cookie on first visit for all users (using hook_boot()), and reset that cookie if people login. The issue is that the cookie setting only happens during hook_user($op == 'login');
Comment #3
grendzy commentedI thought about that, but I was worried that would create an endless loop for user agents that refuse the cookie, because you'd need to redirect to an SSL page to regenerate the session and set the secure cookie.
Comment #4
agentrickardI just ran into that issue, actually, and for those users ended up setting a pseudo-global in a static variable.
But for users who don't accept cookies, session tokens are meaningless anyway...
To avoid the endless loop, you can also check for
isset($_COOKIE[session_name()]), and if it fails, skip your routine (or exit to e massage telling people they must have cookies enabled.Comment #5
damienmckennaSubscribe.