Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:29913 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 1300 invoked by uid 1010); 29 May 2007 23:58:19 -0000 Delivered-To: ezmlm-scan-internals@lists.php.net Delivered-To: ezmlm-internals@lists.php.net Received: (qmail 1285 invoked from network); 29 May 2007 23:58:19 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 29 May 2007 23:58:19 -0000 Authentication-Results: pb1.pair.com smtp.mail=ceo@l-i-e.com; spf=permerror; sender-id=unknown Authentication-Results: pb1.pair.com header.from=ceo@l-i-e.com; sender-id=unknown Received-SPF: error (pb1.pair.com: domain l-i-e.com from 67.139.134.202 cause and error) X-PHP-List-Original-Sender: ceo@l-i-e.com X-Host-Fingerprint: 67.139.134.202 o2.hostbaby.com FreeBSD 4.7-5.2 (or MacOS X 10.2-10.3) (2) Received: from [67.139.134.202] ([67.139.134.202:1392] helo=o2.hostbaby.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 7E/8E-10662-61EBC564 for ; Tue, 29 May 2007 19:58:16 -0400 Received: (qmail 90471 invoked by uid 98); 29 May 2007 23:58:17 -0000 Received: from 127.0.0.1 by o2.hostbaby.com (envelope-from , uid 1013) with qmail-scanner-2.01 (clamdscan: 0.88.7/3321. Clear:RC:1(127.0.0.1):. Processed in 0.072849 secs); 29 May 2007 23:58:17 -0000 Received: from localhost (HELO l-i-e.com) (127.0.0.1) by localhost with SMTP; 29 May 2007 23:58:16 -0000 Received: from 216.230.84.67 (SquirrelMail authenticated user ceo@l-i-e.com) by www.l-i-e.com with HTTP; Tue, 29 May 2007 18:58:16 -0500 (CDT) Message-ID: <45186.216.230.84.67.1180483096.squirrel@www.l-i-e.com> In-Reply-To: <465C5D1D.7040206@gmail.com> References: <465C5D1D.7040206@gmail.com> Date: Tue, 29 May 2007 18:58:16 -0500 (CDT) To: "Stut" Cc: internals@lists.php.net Reply-To: ceo@l-i-e.com User-Agent: Hostbaby Webmail MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Priority: 3 (Normal) Importance: Normal Subject: Re: [PHP-DEV] Session security From: ceo@l-i-e.com ("Richard Lynch") On Tue, May 29, 2007 12:04 pm, Stut wrote: > Hi all, > > Just wanted to get your opinion on a discussion currently going on on > the general list. > > Why does the PHP session extension not use something like the user > agent > to validate that a session ID has not been hijacked? Or is this > something that just hasn't been implemented yet? Could be any of these reasons, I suppose: A) Anybody smart enough to hijack a session, is smart enough to send the same User Agent. B) Valid reasons exist for a user to switch User Agents mid-session, e.g., stupid broken browser bugs that can be worked around by "hijacking" one's own session. (I've done it, at least...) C) It's just too high a level to be done "right" in PHP core, imho. YMMV -- Some people have a "gift" link here. Know what I want? I want you to buy a CD from some indie artist. http://cdbaby.com/browse/from/lynch Yeah, I get a buck. So?