Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:29892 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 7918 invoked by uid 1010); 29 May 2007 20:11:39 -0000 Delivered-To: ezmlm-scan-internals@lists.php.net Delivered-To: ezmlm-internals@lists.php.net Received: (qmail 7903 invoked from network); 29 May 2007 20:11:39 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 29 May 2007 20:11:39 -0000 Authentication-Results: pb1.pair.com smtp.mail=stuttle@gmail.com; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=stuttle@gmail.com; sender-id=pass; domainkeys=bad Received-SPF: pass (pb1.pair.com: domain gmail.com designates 66.249.92.168 as permitted sender) DomainKey-Status: bad X-DomainKeys: Ecelerity dk_validate implementing draft-delany-domainkeys-base-01 X-PHP-List-Original-Sender: stuttle@gmail.com X-Host-Fingerprint: 66.249.92.168 ug-out-1314.google.com Linux 2.4/2.6 Received: from [66.249.92.168] ([66.249.92.168:34875] helo=ug-out-1314.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 8F/B1-10662-7F88C564 for ; Tue, 29 May 2007 16:11:39 -0400 Received: by ug-out-1314.google.com with SMTP id m2so15909uge for ; Tue, 29 May 2007 13:11:31 -0700 (PDT) DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:user-agent:mime-version:to:cc:subject:references:in-reply-to:content-type:content-transfer-encoding; b=UJbYW39KkIpoKKZzsoGlOk/bx9vIk4XwWIOJDbJeAOI97nxgpai7PYkxICUsx9+5Vo0N2Vu+hKz2iiKfGjwncwEsUlisZFtWW4xOczNwg96Nghgj4mavQ3AsdWbPQQ/3Z8o2MZJDAb1NgoH8M25R1HEbVkfb8FQGyZSbeY4IB4Q= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:user-agent:mime-version:to:cc:subject:references:in-reply-to:content-type:content-transfer-encoding; b=NVJZjgBHGiPqI77cDBpEVjplupGQrkHoyU5/mgKuEKT7OtvADM5V/Y+nV9BoD9k/sSqpTLyDUq5zrKDesS0gFP8YdTfoYu0xNZz/PclsTzfgurQ+Qejmrd9uqBv5FwNjvLwcSAXXUirwZEPupK9+fq6sW2Ba2Pkij7C6eophVnE= Received: by 10.82.150.20 with SMTP id x20mr13351634bud.1180469491349; Tue, 29 May 2007 13:11:31 -0700 (PDT) Received: from ?192.168.0.99? ( [84.68.56.187]) by mx.google.com with ESMTP id 35sm65876nfu.2007.05.29.13.11.30; Tue, 29 May 2007 13:11:30 -0700 (PDT) Message-ID: <465C88DC.8030704@gmail.com> Date: Tue, 29 May 2007 21:11:08 +0100 User-Agent: Thunderbird 1.5.0.9 (Windows/20061207) MIME-Version: 1.0 To: Rasmus Lerdorf CC: Stanislav Malyshev , internals@lists.php.net References: <465C5D1D.7040206@gmail.com> <465C6002.5080209@lerdorf.com> <1180462052.6874.204.camel@blobule> <465C6D83.5000000@lerdorf.com> <1180463687.6874.210.camel@blobule> <465C7C99.4000707@lerdorf.com> <465C7E2C.4030601@gmail.com> <465C7F1E.3010605@zend.com> <465C850D.9070807@lerdorf.com> <465C8641.5040507@zend.com> <465C87E0.8040602@lerdorf.com> In-Reply-To: <465C87E0.8040602@lerdorf.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: [PHP-DEV] Session security From: stuttle@gmail.com (Stut) Rasmus Lerdorf wrote: > Stanislav Malyshev wrote: >>> The session store is just a session store. It is not a >>> login/authentication mechanism and thus doesn't have any of the >>> protections you might want to add to that. Therefore a separate >>> authentication cookie is needed that can separate the two concepts >> I don't see how it's "therefore". Yes, session is just a storage. But >> how you derive from it that authentication information can not be stored >> in this storage and how the separate cookie is helping you in any way >> make it more secure? > > Because you don't have full control over the session cookie since it is > generated by PHP. For an authentication cookie you want to layer other > application-specific checks on top of it. I'm still unclear on how you validate that the authentication cookie came from the same client machine as the one the application first sent it to, which was the core of my question. The answer seems to be that you can't do it reliably. -Stut