Robert Cummings wrote: > On Tue, 2007-05-29 at 10:16 -0700, Rasmus Lerdorf wrote: >> Stut wrote: >>> Hi all, >>> >>> Just wanted to get your opinion on a discussion currently going on on >>> the general list. >>> >>> Why does the PHP session extension not use something like the user agent >>> to validate that a session ID has not been hijacked? Or is this >>> something that just hasn't been implemented yet? >> The user agent is trivial to spoof. If you are going to hijack >> someone's session, it is very easy to also hijack their user agent >> string, so I don't see how that solves anything. > > I agree mostly, but in the case of idiots that post a URL to a site that > includes a PHPSESSID in the URL it would provide a teency bit more > protection from casual hijacking :) > > I agree more with Xing Xing's responde though, in that it belongs in the > script layer.
Well, obviously you need an authentication layer separate from the session layer. If people are using the session extension as if it was an authentication layer, then they are amazingly misguided. The solution to that is not the session code, but better documentation. -Rasmus -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
