Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:29875 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 29270 invoked by uid 1010); 29 May 2007 17:14:37 -0000 Delivered-To: ezmlm-scan-internals@lists.php.net Delivered-To: ezmlm-internals@lists.php.net Received: (qmail 29255 invoked from network); 29 May 2007 17:14:37 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 29 May 2007 17:14:37 -0000 Authentication-Results: pb1.pair.com header.from=antony@zend.com; sender-id=pass Authentication-Results: pb1.pair.com smtp.mail=antony@zend.com; spf=pass; sender-id=pass Received-SPF: pass (pb1.pair.com: domain zend.com designates 212.25.124.162 as permitted sender) X-PHP-List-Original-Sender: antony@zend.com X-Host-Fingerprint: 212.25.124.162 mail.zend.com Linux 2.5 (sometimes 2.4) (4) Received: from [212.25.124.162] ([212.25.124.162:36029] helo=mail.zend.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 34/17-10662-B7F5C564 for ; Tue, 29 May 2007 13:14:37 -0400 Received: (qmail 8688 invoked from network); 29 May 2007 17:14:33 -0000 Received: from internal.zend.office (HELO ?127.0.0.1?) (10.1.1.1) by internal.zend.office with SMTP; 29 May 2007 17:14:33 -0000 Message-ID: <465C5F78.6030506@zend.com> Date: Tue, 29 May 2007 21:14:32 +0400 User-Agent: Thunderbird 2.0.0.0 (X11/20070326) MIME-Version: 1.0 To: Stut CC: internals@lists.php.net References: <465C5D1D.7040206@gmail.com> In-Reply-To: <465C5D1D.7040206@gmail.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: [PHP-DEV] Session security From: antony@zend.com (Antony Dovgal) On 29.05.2007 21:04, Stut wrote: > Hi all, > > Just wanted to get your opinion on a discussion currently going on on > the general list. > > Why does the PHP session extension not use something like the user agent > to validate that a session ID has not been hijacked? Or is this > something that just hasn't been implemented yet? Please elaborate. -- Wbr, Antony Dovgal