Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:29887
Return-Path: <stas@zend.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 84117 invoked by uid 1010); 29 May 2007 19:38:19 -0000
Delivered-To: ezmlm-scan-internals@lists.php.net
Delivered-To: ezmlm-internals@lists.php.net
Received: (qmail 84102 invoked from network); 29 May 2007 19:38:19 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 29 May 2007 19:38:19 -0000
Authentication-Results: pb1.pair.com header.from=stas@zend.com; sender-id=pass
Authentication-Results: pb1.pair.com smtp.mail=stas@zend.com; spf=pass; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain zend.com designates 63.205.162.114 as permitted sender)
X-PHP-List-Original-Sender: stas@zend.com
X-Host-Fingerprint: 63.205.162.114 unknown Windows 2000 SP4, XP SP1
Received: from [63.205.162.114] ([63.205.162.114:36607] helo=us-ex1.zend.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 30/1F-10662-9218C564 for <internals@lists.php.net>; Tue, 29 May 2007 15:38:19 -0400
Received: from [127.0.0.1] ([192.168.16.180]) by us-ex1.zend.com with Microsoft SMTPSVC(6.0.3790.1830);
	 Tue, 29 May 2007 12:38:15 -0700
Message-ID: <465C8125.7000603@zend.com>
Date: Tue, 29 May 2007 12:38:13 -0700
Organization: Zend Technologies
User-Agent: Thunderbird 2.0.0.0 (Windows/20070326)
MIME-Version: 1.0
To: Stut <stuttle@gmail.com>
CC: Rasmus Lerdorf <rasmus@lerdorf.com>, 
 Robert Cummings <robert@interjinn.com>,
  internals@lists.php.net
References: <465C5D1D.7040206@gmail.com>  <465C6002.5080209@lerdorf.com>	 <1180462052.6874.204.camel@blobule>  <465C6D83.5000000@lerdorf.com> <1180463687.6874.210.camel@blobule> <465C7C99.4000707@lerdorf.com> <465C7E2C.4030601@gmail.com>
In-Reply-To: <465C7E2C.4030601@gmail.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-OriginalArrivalTime: 29 May 2007 19:38:15.0458 (UTC) FILETIME=[E699D020:01C7A228]
Subject: Re: [PHP-DEV] Session security
From: stas@zend.com (Stanislav Malyshev)

> The basic question is... is there any way to validate that a session ID 
> coming from the client is coming from the same client?

I'm afraid since there's no way (well, except for described below :) to 
uniquely and securely identify the clients I don't see how you could do 
that. You could use client certificates as a secure client 
identification, and then probably you could verify that current client 
presented the same valid certificate as before, but that doesn't really 
belong to sessions - it's external to sessions. Not sure how well PHP 
support for client certificates is, in any case unless you have a lot of 
control over your users they probably won't like to install any 
certificates.

Also, if you use SSL (which you probably do if you care about security), 
as I see it most frequent way to steal the cookie is to control user's 
browser. If the hostile code gained control over the user's browser, 
it's essentially the same client, so you couldn't distinguish it from 
the legitimate code. You could of course tryng to counter replay attacks 
(which are only part of the possible attacks) by matching IPs and other 
auxiliary data but if you don't have secure ID for the client there 
would be cases when it could be still not enough.

-- 
Stanislav Malyshev, Zend Products Engineer
stas@zend.com  http://www.zend.com/