Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:29898
Return-Path: <cschneid@cschneid.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 36308 invoked by uid 1010); 29 May 2007 20:49:17 -0000
Delivered-To: ezmlm-scan-internals@lists.php.net
Delivered-To: ezmlm-internals@lists.php.net
Received: (qmail 36293 invoked from network); 29 May 2007 20:49:17 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 29 May 2007 20:49:17 -0000
Authentication-Results: pb1.pair.com smtp.mail=cschneid@cschneid.com; spf=permerror; sender-id=unknown
Authentication-Results: pb1.pair.com header.from=cschneid@cschneid.com; sender-id=unknown
Received-SPF: error (pb1.pair.com: domain cschneid.com from 195.226.6.51 cause and error)
X-PHP-List-Original-Sender: cschneid@cschneid.com
X-Host-Fingerprint: 195.226.6.51 darkcity.gna.ch Linux 2.6
Received: from [195.226.6.51] ([195.226.6.51:41449] helo=mail.gna.ch)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 52/E5-10662-9C19C564 for <internals@lists.php.net>; Tue, 29 May 2007 16:49:15 -0400
Received: from localhost (localhost [127.0.0.1])
	by darkcity.gna.ch (Postfix) with ESMTP id EDE54B2E46;
	Tue, 29 May 2007 22:49:08 +0200 (CEST)
Received: from unknown by localhost (amavisd-new, unix socket)
 id client-XXM08Jhd; Tue, 29 May 2007 22:49:07 +0200 (CEST)
Received: from box.local (217-162-168-28.dclient.hispeed.ch [217.162.168.28])
	(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by darkcity.gna.ch (Postfix) with ESMTP id AB6C5B2E3A;
	Tue, 29 May 2007 22:49:07 +0200 (CEST)
Message-ID: <465C91C2.9090800@cschneid.com>
Date: Tue, 29 May 2007 22:49:06 +0200
User-Agent: Thunderbird 2.0.0.0 (Macintosh/20070326)
MIME-Version: 1.0
To: Stut <stuttle@gmail.com>
CC:  internals@lists.php.net
References: <465C5D1D.7040206@gmail.com>  <465C6002.5080209@lerdorf.com>	 <1180462052.6874.204.camel@blobule>  <465C6D83.5000000@lerdorf.com>	 <1180463687.6874.210.camel@blobule> <465C7C99.4000707@lerdorf.com>	 <465C7E2C.4030601@gmail.com> <465C7F1E.3010605@zend.com>	 <465C850D.9070807@lerdorf.com> <465C8641.5040507@zend.com>	 <465C87E0.8040602@lerdorf.com>  <465C88DC.8030704@gmail.com> <1180469817.6874.214.camel@blobule> <465C8E23.1040803@gmail.com>
In-Reply-To: <465C8E23.1040803@gmail.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-Virus-Scanned: amavisd-new at gna.ch
Subject: Re: [PHP-DEV] Session security
From: cschneid@cschneid.com (Christian Schneider)

Stut wrote:
> It doesn't matter where the session ID comes from, the basic point is 
> that you have to trust it or implement some experience-degrading 
> mechanism like client certificates, and even there there are few 
> guarantees.

You want more info to be checked? Simply add a variable containing 
user-agent, remove ip, etc. to your session and check that in your 
application startup code. If it doesn't match then start a new session.

But as this can lead to various problems (user agent being easy to fake 
and not necessarily constant through proxies, remote ip changing in the 
middle of a session with proxies or some providers) this should be done 
when really needed by the application, not by PHP itself. I'm pretty 
sure there already exists a PEAR package or something helping with this.

My 2 cents,
- Chris