Stut 写道:
Hi all,
Just wanted to get your opinion on a discussion currently going on on
the general list.
Why does the PHP session extension not use something like the user
agent to validate that a session ID has not been hijacked? Or is this
something that just hasn't been implemented yet?
-Stut
Some http proxy may modify the user agent~
If there are some http proxy in a cluster, and one of them do some
different on user agent, there must be a trouble.
And, the other way, to aganst the attacker getting the real user agent,
we could do something like: md5(user agent + secrete key) . then if the
attacker get the string of md5, it is no use to forge the real user agent.
Any way, this should be done in the script layer, not in the session
mechanism. you need more security, do it in script, needn't, do nothing~~
Xing
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
