Robert Cummings wrote: > On Tue, 2007-05-29 at 11:14 -0700, Rasmus Lerdorf wrote: >> Robert Cummings wrote: >>> On Tue, 2007-05-29 at 10:16 -0700, Rasmus Lerdorf wrote: >>>> Stut wrote: >>>>> Hi all, >>>>> >>>>> Just wanted to get your opinion on a discussion currently going on on >>>>> the general list. >>>>> >>>>> Why does the PHP session extension not use something like the user agent >>>>> to validate that a session ID has not been hijacked? Or is this >>>>> something that just hasn't been implemented yet? >>>> The user agent is trivial to spoof. If you are going to hijack >>>> someone's session, it is very easy to also hijack their user agent >>>> string, so I don't see how that solves anything. >>> I agree mostly, but in the case of idiots that post a URL to a site that >>> includes a PHPSESSID in the URL it would provide a teency bit more >>> protection from casual hijacking :) >>> >>> I agree more with Xing Xing's responde though, in that it belongs in the >>> script layer. >> Well, obviously you need an authentication layer separate from the >> session layer. If people are using the session extension as if it was >> an authentication layer, then they are amazingly misguided. The >> solution to that is not the session code, but better documentation. > > Well the two are quite related. Not that the session is responsible for > authentication, but once authenticated the session data (stored server > side I hope) usually indicates whether a user has already performed > authentication for the current temporary session -- otherwise you'd need > to log back in on every request. As such, a URL posted in the wild > containing a PHPSESSID is vulnerable to hijacking for the lifespan of > the temporary session. Better documentation won't help the completely > ignorant masses of end users :)
You really want a separate and distinct signed authentication cookie that has nothing to do with the session. The stored session should indicate which logged in user the session belongs to, but it should never ever be used as the sole authentication cookie. That's what I meant by a separate authentication layer. -Rasmus -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
