Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:29930 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 880 invoked by uid 1010); 30 May 2007 05:35:45 -0000 Delivered-To: ezmlm-scan-internals@lists.php.net Delivered-To: ezmlm-internals@lists.php.net Received: (qmail 865 invoked from network); 30 May 2007 05:35:45 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 30 May 2007 05:35:45 -0000 Authentication-Results: pb1.pair.com smtp.mail=mls@pooteeweet.org; spf=permerror; sender-id=unknown Authentication-Results: pb1.pair.com header.from=mls@pooteeweet.org; sender-id=unknown Received-SPF: error (pb1.pair.com: domain pooteeweet.org from 81.63.192.126 cause and error) X-PHP-List-Original-Sender: mls@pooteeweet.org X-Host-Fingerprint: 81.63.192.126 126.192.63.81.fix.bluewin.ch Windows 2000 SP4, XP SP1 Received: from [81.63.192.126] ([81.63.192.126:1455] helo=npas.netpoint.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 19/F0-24960-F2D0D564 for ; Wed, 30 May 2007 01:35:44 -0400 Received: from [127.0.0.1] ([127.0.0.1]) by npas.netpoint.com with Microsoft SMTPSVC(6.0.2600.2180); Wed, 30 May 2007 07:38:49 +0200 Message-ID: <465D0D2E.1080700@pooteeweet.org> Date: Wed, 30 May 2007 07:35:42 +0200 User-Agent: Thunderbird 2.0.0.0 (Windows/20070326) MIME-Version: 1.0 To: Christian Schneider CC: Stut , internals@lists.php.net References: <465C5D1D.7040206@gmail.com> <465C6002.5080209@lerdorf.com> <1180462052.6874.204.camel@blobule> <465C6D83.5000000@lerdorf.com> <1180463687.6874.210.camel@blobule> <465C7C99.4000707@lerdorf.com> <465C7E2C.4030601@gmail.com> <465C7F1E.3010605@zend.com> <465C850D.9070807@lerdorf.com> <465C8641.5040507@zend.com> <465C87E0.8040602@lerdorf.com> <465C88DC.8030704@gmail.com> <1180469817.6874.214.camel@blobule> <465C8E23.1040803@gmail.com> <465C91C2.9090800@cschneid.com> In-Reply-To: <465C91C2.9090800@cschneid.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-OriginalArrivalTime: 30 May 2007 05:38:49.0915 (UTC) FILETIME=[CCCF98B0:01C7A27C] Subject: Re: [PHP-DEV] Session security From: mls@pooteeweet.org (Lukas Kahwe Smith) Christian Schneider wrote: > Stut wrote: >> It doesn't matter where the session ID comes from, the basic point is >> that you have to trust it or implement some experience-degrading >> mechanism like client certificates, and even there there are few >> guarantees. > > You want more info to be checked? Simply add a variable containing > user-agent, remove ip, etc. to your session and check that in your > application startup code. If it doesn't match then start a new session. > > But as this can lead to various problems (user agent being easy to fake > and not necessarily constant through proxies, remote ip changing in the > middle of a session with proxies or some providers) this should be done > when really needed by the application, not by PHP itself. I'm pretty > sure there already exists a PEAR package or something helping with this. PEAR::LiveUser supports this. Not sure about PEAR::Auth. regards, Lukas