Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:29884 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 77773 invoked by uid 1010); 29 May 2007 19:25:54 -0000 Delivered-To: ezmlm-scan-internals@lists.php.net Delivered-To: ezmlm-internals@lists.php.net Received: (qmail 77758 invoked from network); 29 May 2007 19:25:54 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 29 May 2007 19:25:54 -0000 Authentication-Results: pb1.pair.com header.from=stuttle@gmail.com; sender-id=pass; domainkeys=bad Authentication-Results: pb1.pair.com smtp.mail=stuttle@gmail.com; spf=pass; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 66.249.92.175 as permitted sender) DomainKey-Status: bad X-DomainKeys: Ecelerity dk_validate implementing draft-delany-domainkeys-base-01 X-PHP-List-Original-Sender: stuttle@gmail.com X-Host-Fingerprint: 66.249.92.175 ug-out-1314.google.com Linux 2.4/2.6 Received: from [66.249.92.175] ([66.249.92.175:41975] helo=ug-out-1314.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id A4/2E-10662-14E7C564 for ; Tue, 29 May 2007 15:25:54 -0400 Received: by ug-out-1314.google.com with SMTP id m2so4778uge for ; Tue, 29 May 2007 12:25:53 -0700 (PDT) DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:user-agent:mime-version:to:cc:subject:references:in-reply-to:content-type:content-transfer-encoding; b=pZ4SCwdAk0LK1vunyYZcYn4psEAoctchkL2PTU/oaI9m/L2e1oXvT7WGsOEN3m2aser6Tkp/bj9tc053+4IurHrG5zrBZH4izraTRWpRcy5TeiDhraIqH2j++aupMQ6580NpunB7CwIwk7XrZ3t9fMYbEJ9t3xO+Dp7uApYb2zk= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:user-agent:mime-version:to:cc:subject:references:in-reply-to:content-type:content-transfer-encoding; b=VVffLBQDRATPJjGUo4GCODI4ng3fnvmVdsvuY9AXKT8D5zCXxRLPTpL13Xx3JoXZv5KwToJK7viJPWNi82mx/1kjl9G1SFdvUfeP6MYtk9RNDgESL677g7GI1OqGy81OR0kEACqbtD5BMckWtylXvVSKYouRfZMTK8qPuC0gT/A= Received: by 10.67.121.18 with SMTP id y18mr7957ugm.1180466753360; Tue, 29 May 2007 12:25:53 -0700 (PDT) Received: from ?192.168.0.99? ( [84.68.56.187]) by mx.google.com with ESMTP id c22sm12376452ika.2007.05.29.12.25.51; Tue, 29 May 2007 12:25:52 -0700 (PDT) Message-ID: <465C7E2C.4030601@gmail.com> Date: Tue, 29 May 2007 20:25:32 +0100 User-Agent: Thunderbird 1.5.0.9 (Windows/20061207) MIME-Version: 1.0 To: Rasmus Lerdorf CC: Robert Cummings , internals@lists.php.net References: <465C5D1D.7040206@gmail.com> <465C6002.5080209@lerdorf.com> <1180462052.6874.204.camel@blobule> <465C6D83.5000000@lerdorf.com> <1180463687.6874.210.camel@blobule> <465C7C99.4000707@lerdorf.com> In-Reply-To: <465C7C99.4000707@lerdorf.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: [PHP-DEV] Session security From: stuttle@gmail.com (Stut) Rasmus Lerdorf wrote: > You really want a separate and distinct signed authentication cookie > that has nothing to do with the session. The stored session should > indicate which logged in user the session belongs to, but it should > never ever be used as the sole authentication cookie. That's what I > meant by a separate authentication layer. Thanks to everyone for their responses. The issue is not about how a user is initially validated, it's about how you prevent the session ID from being used on a different machine while it's still active on the server. AFAICT using a signed authentication cookie will not do this since it's still coming from the client and can therefore be copied. The basic question is... is there any way to validate that a session ID coming from the client is coming from the same client? I don't believe there is since, as Xing pointed out, anything that comes from the client can a) be faked, and b) may change from request to request. This includes the user agent and IP address. However, I'd like clarification on that just in case there's a reliable way to make sessions more secure. Oh, and also to validate the argument I'm making on PHP-General, but that's really a secondary goal ;) Cheers. -Stut