Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:29876
Return-Path: <rasmus@lerdorf.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 30416 invoked by uid 1010); 29 May 2007 17:17:02 -0000
Delivered-To: ezmlm-scan-internals@lists.php.net
Delivered-To: ezmlm-internals@lists.php.net
Received: (qmail 30401 invoked from network); 29 May 2007 17:17:02 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 29 May 2007 17:17:02 -0000
Authentication-Results: pb1.pair.com header.from=rasmus@lerdorf.com; sender-id=unknown
Authentication-Results: pb1.pair.com smtp.mail=rasmus@lerdorf.com; spf=permerror; sender-id=unknown
Received-SPF: error (pb1.pair.com: domain lerdorf.com from 204.11.219.139 cause and error)
X-PHP-List-Original-Sender: rasmus@lerdorf.com
X-Host-Fingerprint: 204.11.219.139 mail.lerdorf.com  
Received: from [204.11.219.139] ([204.11.219.139:33192] helo=mail.lerdorf.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 60/57-10662-C006C564 for <internals@lists.php.net>; Tue, 29 May 2007 13:17:01 -0400
Received: from trainburn-lm-corp-yahoo-com.local (c-24-6-22-164.hsd1.ca.comcast.net [24.6.22.164])
	(authenticated bits=0)
	by mail.lerdorf.com (8.14.1/8.14.1/Debian-4) with ESMTP id l4THGtx6006983
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT);
	Tue, 29 May 2007 10:16:55 -0700
Message-ID: <465C6002.5080209@lerdorf.com>
Date: Tue, 29 May 2007 10:16:50 -0700
User-Agent: Thunderbird 2.0.0.0 (Macintosh/20070326)
MIME-Version: 1.0
To: Stut <stuttle@gmail.com>
CC:  internals@lists.php.net
References: <465C5D1D.7040206@gmail.com>
In-Reply-To: <465C5D1D.7040206@gmail.com>
X-Enigmail-Version: 0.95.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
X-Virus-Scanned: ClamAV 0.90.2/3323/Tue May 29 05:10:43 2007 on colo.lerdorf.com
X-Virus-Status: Clean
Subject: Re: [PHP-DEV] Session security
From: rasmus@lerdorf.com (Rasmus Lerdorf)

Stut wrote:
> Hi all,
> 
> Just wanted to get your opinion on a discussion currently going on on
> the general list.
> 
> Why does the PHP session extension not use something like the user agent
> to validate that a session ID has not been hijacked? Or is this
> something that just hasn't been implemented yet?

The user agent is trivial to spoof.  If you are going to hijack
someone's session, it is very easy to also hijack their user agent
string, so I don't see how that solves anything.

-Rasmus