Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:29877 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 39012 invoked by uid 1010); 29 May 2007 17:52:36 -0000 Delivered-To: ezmlm-scan-internals@lists.php.net Delivered-To: ezmlm-internals@lists.php.net Received: (qmail 38997 invoked from network); 29 May 2007 17:52:35 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 29 May 2007 17:52:35 -0000 Authentication-Results: pb1.pair.com header.from=mikespook@gmail.com; sender-id=pass; domainkeys=bad Authentication-Results: pb1.pair.com smtp.mail=mikespook@gmail.com; spf=pass; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 64.233.166.181 as permitted sender) DomainKey-Status: bad X-DomainKeys: Ecelerity dk_validate implementing draft-delany-domainkeys-base-01 X-PHP-List-Original-Sender: mikespook@gmail.com X-Host-Fingerprint: 64.233.166.181 py-out-1112.google.com Linux 2.4/2.6 Received: from [64.233.166.181] ([64.233.166.181:14215] helo=py-out-1112.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 6C/58-10662-3686C564 for ; Tue, 29 May 2007 13:52:35 -0400 Received: by py-out-1112.google.com with SMTP id a25so3605640pyi for ; Tue, 29 May 2007 10:52:33 -0700 (PDT) DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:user-agent:mime-version:to:cc:subject:references:in-reply-to:content-type:content-transfer-encoding; b=ezQXf1jdhmrkIl2vYaUk3XmB3DQJXOx64VQxUK91xnFe6CzBdpQayPluE+iLaXFmqilDld4WbWmW50RSSc97VcyLCtBoNg/ozUEZZMkIAX+KPU5JEhXeQloPk8s3Q/Cw2SXq0XvHaCTcx9jVcgBs8x/60ipzS9L1thU6IhND/W8= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:user-agent:mime-version:to:cc:subject:references:in-reply-to:content-type:content-transfer-encoding; b=MAY5Hw7eP8Nbhk4MqMP8C844KLsx0/jc9hVM5cM8E00MJvQ/hdkFapTx5sN+B/wrDJvVUN0eGDEql/5AeKGyb0trL7V8kRUYtjtHbO9NJ+KfR7lWHQvNa0AkWBtKgGVUG6+TQhTb1zv5ujpHk580mQ/2X1ODGXL0NcL3dVtX0NY= Received: by 10.35.99.14 with SMTP id b14mr7479257pym.1180461153157; Tue, 29 May 2007 10:52:33 -0700 (PDT) Received: from ?192.168.100.103? ( [121.32.236.129]) by mx.google.com with ESMTP id f51sm13310345pyh.2007.05.29.10.52.31; Tue, 29 May 2007 10:52:32 -0700 (PDT) Message-ID: <465C685C.5000307@gmail.com> Date: Wed, 30 May 2007 01:52:28 +0800 User-Agent: Thunderbird 1.5.0.10 (Windows/20070221) MIME-Version: 1.0 To: Stut CC: internals@lists.php.net References: <465C5D1D.7040206@gmail.com> In-Reply-To: <465C5D1D.7040206@gmail.com> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit Subject: Re: [PHP-DEV] Session security From: mikespook@gmail.com (Xing Xing) Stut 写道: > Hi all, > > Just wanted to get your opinion on a discussion currently going on on > the general list. > > Why does the PHP session extension not use something like the user > agent to validate that a session ID has not been hijacked? Or is this > something that just hasn't been implemented yet? > > -Stut > Some http proxy may modify the user agent~ If there are some http proxy in a cluster, and one of them do some different on user agent, there must be a trouble. And, the other way, to aganst the attacker getting the real user agent, we could do something like: md5(user agent + secrete key) . then if the attacker get the string of md5, it is no use to forge the real user agent. Any way, this should be done in the script layer, not in the session mechanism. you need more security, do it in script, needn't, do nothing~~ Xing