Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:29883 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 73161 invoked by uid 1010); 29 May 2007 19:19:06 -0000 Delivered-To: ezmlm-scan-internals@lists.php.net Delivered-To: ezmlm-internals@lists.php.net Received: (qmail 73146 invoked from network); 29 May 2007 19:19:06 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 29 May 2007 19:19:06 -0000 Authentication-Results: pb1.pair.com header.from=rasmus@lerdorf.com; sender-id=unknown Authentication-Results: pb1.pair.com smtp.mail=rasmus@lerdorf.com; spf=permerror; sender-id=unknown Received-SPF: error (pb1.pair.com: domain lerdorf.com from 204.11.219.139 cause and error) X-PHP-List-Original-Sender: rasmus@lerdorf.com X-Host-Fingerprint: 204.11.219.139 mail.lerdorf.com Received: from [204.11.219.139] ([204.11.219.139:46386] helo=mail.lerdorf.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 80/6D-10662-8AC7C564 for ; Tue, 29 May 2007 15:19:06 -0400 Received: from trainburn-lm.corp.yahoo.com (trainburn-lm.corp.yahoo.com [207.126.233.11]) (authenticated bits=0) by mail.lerdorf.com (8.14.1/8.14.1/Debian-4) with ESMTP id l4TJIslJ025836 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Tue, 29 May 2007 12:18:55 -0700 Message-ID: <465C7C99.4000707@lerdorf.com> Date: Tue, 29 May 2007 12:18:49 -0700 User-Agent: Thunderbird 2.0.0.0 (Macintosh/20070326) MIME-Version: 1.0 To: Robert Cummings CC: Stut , internals@lists.php.net References: <465C5D1D.7040206@gmail.com> <465C6002.5080209@lerdorf.com> <1180462052.6874.204.camel@blobule> <465C6D83.5000000@lerdorf.com> <1180463687.6874.210.camel@blobule> In-Reply-To: <1180463687.6874.210.camel@blobule> X-Enigmail-Version: 0.95.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Virus-Scanned: ClamAV 0.90.2/3323/Tue May 29 05:10:43 2007 on colo.lerdorf.com X-Virus-Status: Clean Subject: Re: [PHP-DEV] Session security From: rasmus@lerdorf.com (Rasmus Lerdorf) Robert Cummings wrote: > On Tue, 2007-05-29 at 11:14 -0700, Rasmus Lerdorf wrote: >> Robert Cummings wrote: >>> On Tue, 2007-05-29 at 10:16 -0700, Rasmus Lerdorf wrote: >>>> Stut wrote: >>>>> Hi all, >>>>> >>>>> Just wanted to get your opinion on a discussion currently going on on >>>>> the general list. >>>>> >>>>> Why does the PHP session extension not use something like the user agent >>>>> to validate that a session ID has not been hijacked? Or is this >>>>> something that just hasn't been implemented yet? >>>> The user agent is trivial to spoof. If you are going to hijack >>>> someone's session, it is very easy to also hijack their user agent >>>> string, so I don't see how that solves anything. >>> I agree mostly, but in the case of idiots that post a URL to a site that >>> includes a PHPSESSID in the URL it would provide a teency bit more >>> protection from casual hijacking :) >>> >>> I agree more with Xing Xing's responde though, in that it belongs in the >>> script layer. >> Well, obviously you need an authentication layer separate from the >> session layer. If people are using the session extension as if it was >> an authentication layer, then they are amazingly misguided. The >> solution to that is not the session code, but better documentation. > > Well the two are quite related. Not that the session is responsible for > authentication, but once authenticated the session data (stored server > side I hope) usually indicates whether a user has already performed > authentication for the current temporary session -- otherwise you'd need > to log back in on every request. As such, a URL posted in the wild > containing a PHPSESSID is vulnerable to hijacking for the lifespan of > the temporary session. Better documentation won't help the completely > ignorant masses of end users :) You really want a separate and distinct signed authentication cookie that has nothing to do with the session. The stored session should indicate which logged in user the session belongs to, but it should never ever be used as the sole authentication cookie. That's what I meant by a separate authentication layer. -Rasmus