Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:29878
Return-Path: <robert@interjinn.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 44407 invoked by uid 1010); 29 May 2007 18:07:37 -0000
Delivered-To: ezmlm-scan-internals@lists.php.net
Delivered-To: ezmlm-internals@lists.php.net
Received: (qmail 44392 invoked from network); 29 May 2007 18:07:37 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 29 May 2007 18:07:37 -0000
Authentication-Results: pb1.pair.com smtp.mail=robert@interjinn.com; spf=permerror; sender-id=unknown
Authentication-Results: pb1.pair.com header.from=robert@interjinn.com; sender-id=unknown
Received-SPF: error (pb1.pair.com: domain interjinn.com from 66.11.173.122 cause and error)
X-PHP-List-Original-Sender: robert@interjinn.com
X-Host-Fingerprint: 66.11.173.122 unknown Linux 2.5 (sometimes 2.4) (4)
Received: from [66.11.173.122] ([66.11.173.122:35695] helo=blobule.interjinn.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 90/19-10662-5EB6C564 for <internals@lists.php.net>; Tue, 29 May 2007 14:07:35 -0400
Received: by blobule.interjinn.com (Postfix, from userid 2000)
	id 6171312D12F; Tue, 29 May 2007 14:07:32 -0400 (EDT)
To: Rasmus Lerdorf <rasmus@lerdorf.com>
Cc: Stut <stuttle@gmail.com>, internals@lists.php.net
In-Reply-To: <465C6002.5080209@lerdorf.com>
References: <465C5D1D.7040206@gmail.com>  <465C6002.5080209@lerdorf.com>
Content-Type: text/plain
Content-Transfer-Encoding: 7bit
Organization: InterJinn
Date: Tue, 29 May 2007 14:07:31 -0400
Message-ID: <1180462052.6874.204.camel@blobule>
Mime-Version: 1.0
X-Mailer: Evolution 2.8.1 
Subject: Re: [PHP-DEV] Session security
From: robert@interjinn.com (Robert Cummings)

On Tue, 2007-05-29 at 10:16 -0700, Rasmus Lerdorf wrote:
> Stut wrote:
> > Hi all,
> > 
> > Just wanted to get your opinion on a discussion currently going on on
> > the general list.
> > 
> > Why does the PHP session extension not use something like the user agent
> > to validate that a session ID has not been hijacked? Or is this
> > something that just hasn't been implemented yet?
> 
> The user agent is trivial to spoof.  If you are going to hijack
> someone's session, it is very easy to also hijack their user agent
> string, so I don't see how that solves anything.

I agree mostly, but in the case of idiots that post a URL to a site that
includes a PHPSESSID in the URL it would provide a teency bit more
protection from casual hijacking :)

I agree more with Xing Xing's responde though, in that it belongs in the
script layer.

Cheers,
Rob.
-- 
.------------------------------------------------------------.
| InterJinn Application Framework - http://www.interjinn.com |
:------------------------------------------------------------:
| An application and templating framework for PHP. Boasting  |
| a powerful, scalable system for accessing system services  |
| such as forms, properties, sessions, and caches. InterJinn |
| also provides an extremely flexible architecture for       |
| creating re-usable components quickly and easily.          |
`------------------------------------------------------------'