On Tue, 2007-05-29 at 10:16 -0700, Rasmus Lerdorf wrote: > Stut wrote: > > Hi all, > > > > Just wanted to get your opinion on a discussion currently going on on > > the general list. > > > > Why does the PHP session extension not use something like the user agent > > to validate that a session ID has not been hijacked? Or is this > > something that just hasn't been implemented yet? > > The user agent is trivial to spoof. If you are going to hijack > someone's session, it is very easy to also hijack their user agent > string, so I don't see how that solves anything.
I agree mostly, but in the case of idiots that post a URL to a site that includes a PHPSESSID in the URL it would provide a teency bit more protection from casual hijacking :) I agree more with Xing Xing's responde though, in that it belongs in the script layer. Cheers, Rob. -- .------------------------------------------------------------. | InterJinn Application Framework - http://www.interjinn.com | :------------------------------------------------------------: | An application and templating framework for PHP. Boasting | | a powerful, scalable system for accessing system services | | such as forms, properties, sessions, and caches. InterJinn | | also provides an extremely flexible architecture for | | creating re-usable components quickly and easily. | `------------------------------------------------------------' -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
