Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:29879
Return-Path: <rasmus@lerdorf.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 50655 invoked by uid 1010); 29 May 2007 18:14:50 -0000
Delivered-To: ezmlm-scan-internals@lists.php.net
Delivered-To: ezmlm-internals@lists.php.net
Received: (qmail 50640 invoked from network); 29 May 2007 18:14:50 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 29 May 2007 18:14:50 -0000
Authentication-Results: pb1.pair.com header.from=rasmus@lerdorf.com; sender-id=unknown
Authentication-Results: pb1.pair.com smtp.mail=rasmus@lerdorf.com; spf=permerror; sender-id=unknown
Received-SPF: error (pb1.pair.com: domain lerdorf.com from 204.11.219.139 cause and error)
X-PHP-List-Original-Sender: rasmus@lerdorf.com
X-Host-Fingerprint: 204.11.219.139 mail.lerdorf.com  
Received: from [204.11.219.139] ([204.11.219.139:35002] helo=mail.lerdorf.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 15/3A-10662-99D6C564 for <internals@lists.php.net>; Tue, 29 May 2007 14:14:50 -0400
Received: from trainburn-lm.corp.yahoo.com (trainburn-lm.corp.yahoo.com [207.126.233.11])
	(authenticated bits=0)
	by mail.lerdorf.com (8.14.1/8.14.1/Debian-4) with ESMTP id l4TIEWcu016647
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT);
	Tue, 29 May 2007 11:14:32 -0700
Message-ID: <465C6D83.5000000@lerdorf.com>
Date: Tue, 29 May 2007 11:14:27 -0700
User-Agent: Thunderbird 2.0.0.0 (Macintosh/20070326)
MIME-Version: 1.0
To: Robert Cummings <robert@interjinn.com>
CC: Stut <stuttle@gmail.com>, internals@lists.php.net
References: <465C5D1D.7040206@gmail.com>  <465C6002.5080209@lerdorf.com> <1180462052.6874.204.camel@blobule>
In-Reply-To: <1180462052.6874.204.camel@blobule>
X-Enigmail-Version: 0.95.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
X-Virus-Scanned: ClamAV 0.90.2/3323/Tue May 29 05:10:43 2007 on colo.lerdorf.com
X-Virus-Status: Clean
Subject: Re: [PHP-DEV] Session security
From: rasmus@lerdorf.com (Rasmus Lerdorf)

Robert Cummings wrote:
> On Tue, 2007-05-29 at 10:16 -0700, Rasmus Lerdorf wrote:
>> Stut wrote:
>>> Hi all,
>>>
>>> Just wanted to get your opinion on a discussion currently going on on
>>> the general list.
>>>
>>> Why does the PHP session extension not use something like the user agent
>>> to validate that a session ID has not been hijacked? Or is this
>>> something that just hasn't been implemented yet?
>> The user agent is trivial to spoof.  If you are going to hijack
>> someone's session, it is very easy to also hijack their user agent
>> string, so I don't see how that solves anything.
> 
> I agree mostly, but in the case of idiots that post a URL to a site that
> includes a PHPSESSID in the URL it would provide a teency bit more
> protection from casual hijacking :)
> 
> I agree more with Xing Xing's responde though, in that it belongs in the
> script layer.

Well, obviously you need an authentication layer separate from the
session layer.  If people are using the session extension as if it was
an authentication layer, then they are amazingly misguided.  The
solution to that is not the session code, but better documentation.

-Rasmus