Re: Empty session cookie leads to warning
Hi Christian,
On Wed, Feb 12, 2014 at 4:25 PM, Christian Stoller <[email protected]>wrote:
> > What is the reason for having extremely insecure session ID?
> > Is user sending empty cookie by deleting cookie value?
> >
> > Regards,
> >
>
> Hi Yasuo,
>
> the resource, which has been called, is a dynamic generated playlist file
> (.M3U) and it seemed like the user agent was a Windows Media Player,
> because of the passed HTTP headers. But I have no clue why the empty cookie
> has been sent.
>
> I have extended the application, so that the cookie value is checked and
> the session won't be started if it is empty.
>
> But maybe there is someone who could improve the warning message a bit. In
> this case it could say "The session id is empty or too short."
I cannot prevent clients from sending empty(invalid) session id cookie, but
I can
make session module try to regenerate session ID silently when invalid
session is
sent regardless of use_strict_mode.
The error message may be too much as clients can send any session ID cookie.
Issue is that current code does not distinguish whether the invalid session
ID is
set by programmer or client.
I'm not sure what is the best approach.
Does anyone have idea?
Regards,
--
Yasuo Ohgaki
[email protected]
Thread (5 messages)