Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:29891
Return-Path: <rasmus@lerdorf.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 3840 invoked by uid 1010); 29 May 2007 20:07:09 -0000
Delivered-To: ezmlm-scan-internals@lists.php.net
Delivered-To: ezmlm-internals@lists.php.net
Received: (qmail 3825 invoked from network); 29 May 2007 20:07:08 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 29 May 2007 20:07:08 -0000
Authentication-Results: pb1.pair.com header.from=rasmus@lerdorf.com; sender-id=unknown
Authentication-Results: pb1.pair.com smtp.mail=rasmus@lerdorf.com; spf=permerror; sender-id=unknown
Received-SPF: error (pb1.pair.com: domain lerdorf.com from 204.11.219.139 cause and error)
X-PHP-List-Original-Sender: rasmus@lerdorf.com
X-Host-Fingerprint: 204.11.219.139 mail.lerdorf.com  
Received: from [204.11.219.139] ([204.11.219.139:37236] helo=mail.lerdorf.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id A3/01-10662-AE78C564 for <internals@lists.php.net>; Tue, 29 May 2007 16:07:08 -0400
Received: from trainburn-lm.corp.yahoo.com (trainburn-lm.corp.yahoo.com [207.126.233.11])
	(authenticated bits=0)
	by mail.lerdorf.com (8.14.1/8.14.1/Debian-4) with ESMTP id l4TK714n001599
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT);
	Tue, 29 May 2007 13:07:01 -0700
Message-ID: <465C87E0.8040602@lerdorf.com>
Date: Tue, 29 May 2007 13:06:56 -0700
User-Agent: Thunderbird 2.0.0.0 (Macintosh/20070326)
MIME-Version: 1.0
To: Stanislav Malyshev <stas@zend.com>
CC:  internals@lists.php.net
References: <465C5D1D.7040206@gmail.com>  <465C6002.5080209@lerdorf.com>	 <1180462052.6874.204.camel@blobule>  <465C6D83.5000000@lerdorf.com> <1180463687.6874.210.camel@blobule> <465C7C99.4000707@lerdorf.com> <465C7E2C.4030601@gmail.com> <465C7F1E.3010605@zend.com> <465C850D.9070807@lerdorf.com> <465C8641.5040507@zend.com>
In-Reply-To: <465C8641.5040507@zend.com>
X-Enigmail-Version: 0.95.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
X-Virus-Scanned: ClamAV 0.90.2/3323/Tue May 29 05:10:43 2007 on colo.lerdorf.com
X-Virus-Status: Clean
Subject: Re: [PHP-DEV] Session security
From: rasmus@lerdorf.com (Rasmus Lerdorf)

Stanislav Malyshev wrote:
>> The session store is just a session store.  It is not a
>> login/authentication mechanism and thus doesn't have any of the
>> protections you might want to add to that.  Therefore a separate
>> authentication cookie is needed that can separate the two concepts
> 
> I don't see how it's "therefore". Yes, session is just a storage. But
> how you derive from it that authentication information can not be stored
> in this storage and how the separate cookie is helping you in any way
> make it more secure?

Because you don't have full control over the session cookie since it is
generated by PHP.  For an authentication cookie you want to layer other
application-specific checks on top of it.

-Rasmus