Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:29896 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 14707 invoked by uid 1010); 29 May 2007 20:18:41 -0000 Delivered-To: ezmlm-scan-internals@lists.php.net Delivered-To: ezmlm-internals@lists.php.net Received: (qmail 14688 invoked from network); 29 May 2007 20:18:41 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 29 May 2007 20:18:41 -0000 Authentication-Results: pb1.pair.com smtp.mail=rasmus@lerdorf.com; spf=permerror; sender-id=unknown Authentication-Results: pb1.pair.com header.from=rasmus@lerdorf.com; sender-id=unknown Received-SPF: error (pb1.pair.com: domain lerdorf.com from 204.11.219.139 cause and error) X-PHP-List-Original-Sender: rasmus@lerdorf.com X-Host-Fingerprint: 204.11.219.139 mail.lerdorf.com Received: from [204.11.219.139] ([204.11.219.139:42008] helo=mail.lerdorf.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id A4/A2-10662-0AA8C564 for ; Tue, 29 May 2007 16:18:41 -0400 Received: from trainburn-lm.corp.yahoo.com (trainburn-lm.corp.yahoo.com [207.126.233.11]) (authenticated bits=0) by mail.lerdorf.com (8.14.1/8.14.1/Debian-4) with ESMTP id l4TKIZSk004066 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Tue, 29 May 2007 13:18:35 -0700 Message-ID: <465C8A96.4020001@lerdorf.com> Date: Tue, 29 May 2007 13:18:30 -0700 User-Agent: Thunderbird 2.0.0.0 (Macintosh/20070326) MIME-Version: 1.0 To: Stut CC: Stanislav Malyshev , internals@lists.php.net References: <465C5D1D.7040206@gmail.com> <465C6002.5080209@lerdorf.com> <1180462052.6874.204.camel@blobule> <465C6D83.5000000@lerdorf.com> <1180463687.6874.210.camel@blobule> <465C7C99.4000707@lerdorf.com> <465C7E2C.4030601@gmail.com> <465C7F1E.3010605@zend.com> <465C850D.9070807@lerdorf.com> <465C8641.5040507@zend.com> <465C87E0.8040602@lerdorf.com> <465C88DC.8030704@gmail.com> In-Reply-To: <465C88DC.8030704@gmail.com> X-Enigmail-Version: 0.95.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Virus-Scanned: ClamAV 0.90.2/3323/Tue May 29 05:10:43 2007 on colo.lerdorf.com X-Virus-Status: Clean Subject: Re: [PHP-DEV] Session security From: rasmus@lerdorf.com (Rasmus Lerdorf) Stut wrote: > Rasmus Lerdorf wrote: >> Stanislav Malyshev wrote: >>>> The session store is just a session store. It is not a >>>> login/authentication mechanism and thus doesn't have any of the >>>> protections you might want to add to that. Therefore a separate >>>> authentication cookie is needed that can separate the two concepts >>> I don't see how it's "therefore". Yes, session is just a storage. But >>> how you derive from it that authentication information can not be stored >>> in this storage and how the separate cookie is helping you in any way >>> make it more secure? >> >> Because you don't have full control over the session cookie since it is >> generated by PHP. For an authentication cookie you want to layer other >> application-specific checks on top of it. > > I'm still unclear on how you validate that the authentication cookie > came from the same client machine as the one the application first sent > it to, which was the core of my question. > > The answer seems to be that you can't do it reliably. Correct, which is why it needs to be up to the application. You may deem it appropriate to do it based on ip because your user base aren't likely to be coming from AOL or other dynamic connections, or you may find it useful to tie it to the user agent, or some other mechanism entirely. Like an RSA token plugin thing, for example. But at the general level that can't really be hardcoded into PHP since the right answer will be different for everyone. -Rasmus