Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:29885
Return-Path: <stas@zend.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 80468 invoked by uid 1010); 29 May 2007 19:29:41 -0000
Delivered-To: ezmlm-scan-internals@lists.php.net
Delivered-To: ezmlm-internals@lists.php.net
Received: (qmail 80453 invoked from network); 29 May 2007 19:29:41 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 29 May 2007 19:29:41 -0000
Authentication-Results: pb1.pair.com smtp.mail=stas@zend.com; spf=pass; sender-id=pass
Authentication-Results: pb1.pair.com header.from=stas@zend.com; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain zend.com designates 63.205.162.114 as permitted sender)
X-PHP-List-Original-Sender: stas@zend.com
X-Host-Fingerprint: 63.205.162.114 unknown Windows 2000 SP4, XP SP1
Received: from [63.205.162.114] ([63.205.162.114:35088] helo=us-ex1.zend.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 80/8E-10662-32F7C564 for <internals@lists.php.net>; Tue, 29 May 2007 15:29:40 -0400
Received: from [127.0.0.1] ([192.168.16.180]) by us-ex1.zend.com with Microsoft SMTPSVC(6.0.3790.1830);
	 Tue, 29 May 2007 12:29:36 -0700
Message-ID: <465C7F1E.3010605@zend.com>
Date: Tue, 29 May 2007 12:29:34 -0700
Organization: Zend Technologies
User-Agent: Thunderbird 2.0.0.0 (Windows/20070326)
MIME-Version: 1.0
CC: Rasmus Lerdorf <rasmus@lerdorf.com>,  internals@lists.php.net
References: <465C5D1D.7040206@gmail.com>  <465C6002.5080209@lerdorf.com>	 <1180462052.6874.204.camel@blobule>  <465C6D83.5000000@lerdorf.com> <1180463687.6874.210.camel@blobule> <465C7C99.4000707@lerdorf.com> <465C7E2C.4030601@gmail.com>
In-Reply-To: <465C7E2C.4030601@gmail.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-OriginalArrivalTime: 29 May 2007 19:29:36.0683 (UTC) FILETIME=[B16307B0:01C7A227]
Subject: Re: [PHP-DEV] Session security
From: stas@zend.com (Stanislav Malyshev)

>> You really want a separate and distinct signed authentication cookie
>> that has nothing to do with the session.  The stored session should
>> indicate which logged in user the session belongs to, but it should
>> never ever be used as the sole authentication cookie.  That's what I
>> meant by a separate authentication layer.

Could you explain why? If you can steal session cookie, you definitely 
could steal any other cookie too. So stealing-wise, nothing is gained by 
using separate cookie. Signing would help you to know the cookie is from 
you, but I don't see how it's going to help you to know the cookie 
belongs to whoever is attempting to use it. Could you elaborate?
-- 
Stanislav Malyshev, Zend Products Engineer
stas@zend.com  http://www.zend.com/