Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:29874 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 20922 invoked by uid 1010); 29 May 2007 17:04:49 -0000 Delivered-To: ezmlm-scan-internals@lists.php.net Delivered-To: ezmlm-internals@lists.php.net Received: (qmail 20906 invoked from network); 29 May 2007 17:04:48 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 29 May 2007 17:04:48 -0000 Authentication-Results: pb1.pair.com header.from=stuttle@gmail.com; sender-id=unknown Authentication-Results: pb1.pair.com smtp.mail=stuttle@gmail.com; spf=unknown; sender-id=unknown Received-SPF: unknown (pb1.pair.com: domain gmail.com does not designate 87.117.193.62 as permitted sender) X-PHP-List-Original-Sender: stuttle@gmail.com X-Host-Fingerprint: 87.117.193.62 uk1.moxiemon.net Received: from [87.117.193.62] ([87.117.193.62:52527] helo=horatio.sharedserver.net) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 82/65-10662-B2D5C564 for ; Tue, 29 May 2007 13:04:45 -0400 Received: from [192.168.0.128] (oliis.plus.com [81.174.253.131]) by horatio.sharedserver.net (Postfix) with ESMTP id AF875A28B5C for ; Tue, 29 May 2007 18:05:10 +0100 (BST) Message-ID: <465C5D1D.7040206@gmail.com> Date: Tue, 29 May 2007 18:04:29 +0100 User-Agent: Thunderbird 1.5.0.10 (Windows/20070221) MIME-Version: 1.0 To: internals@lists.php.net Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: Session security From: stuttle@gmail.com (Stut) Hi all, Just wanted to get your opinion on a discussion currently going on on the general list. Why does the PHP session extension not use something like the user agent to validate that a session ID has not been hijacked? Or is this something that just hasn't been implemented yet? -Stut