Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:29895
Return-Path: <stas@zend.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 13242 invoked by uid 1010); 29 May 2007 20:17:51 -0000
Delivered-To: ezmlm-scan-internals@lists.php.net
Delivered-To: ezmlm-internals@lists.php.net
Received: (qmail 13226 invoked from network); 29 May 2007 20:17:51 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 29 May 2007 20:17:51 -0000
Authentication-Results: pb1.pair.com header.from=stas@zend.com; sender-id=pass
Authentication-Results: pb1.pair.com smtp.mail=stas@zend.com; spf=pass; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain zend.com designates 63.205.162.114 as permitted sender)
X-PHP-List-Original-Sender: stas@zend.com
X-Host-Fingerprint: 63.205.162.114 unknown Windows 2000 SP4, XP SP1
Received: from [63.205.162.114] ([63.205.162.114:43828] helo=us-ex1.zend.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id A7/52-10662-E6A8C564 for <internals@lists.php.net>; Tue, 29 May 2007 16:17:50 -0400
Received: from [127.0.0.1] ([192.168.16.180]) by us-ex1.zend.com with Microsoft SMTPSVC(6.0.3790.1830);
	 Tue, 29 May 2007 13:17:48 -0700
Message-ID: <465C8A69.1020909@zend.com>
Date: Tue, 29 May 2007 13:17:45 -0700
Organization: Zend Technologies
User-Agent: Thunderbird 2.0.0.0 (Windows/20070326)
MIME-Version: 1.0
To: Stut <stuttle@gmail.com>
CC: Rasmus Lerdorf <rasmus@lerdorf.com>,  internals@lists.php.net
References: <465C5D1D.7040206@gmail.com>  <465C6002.5080209@lerdorf.com>	 <1180462052.6874.204.camel@blobule>  <465C6D83.5000000@lerdorf.com> <1180463687.6874.210.camel@blobule> <465C7C99.4000707@lerdorf.com> <465C7E2C.4030601@gmail.com> <465C7F1E.3010605@zend.com> <465C850D.9070807@lerdorf.com> <465C8641.5040507@zend.com> <465C87E0.8040602@lerdorf.com> <465C88DC.8030704@gmail.com>
In-Reply-To: <465C88DC.8030704@gmail.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-OriginalArrivalTime: 29 May 2007 20:17:48.0020 (UTC) FILETIME=[6CC20B40:01C7A22E]
Subject: Re: [PHP-DEV] Session security
From: stas@zend.com (Stanislav Malyshev)

> I'm still unclear on how you validate that the authentication cookie 
> came from the same client machine as the one the application first sent 
> it to, which was the core of my question.
> 
> The answer seems to be that you can't do it reliably.

As far as I understand, no, you can't, unless you have secure external 
means to establish client identity (like client certificate).
-- 
Stanislav Malyshev, Zend Products Engineer
stas@zend.com  http://www.zend.com/