Rasmus Lerdorf wrote:
You really want a separate and distinct signed authentication cookie
that has nothing to do with the session. The stored session should
indicate which logged in user the session belongs to, but it should
never ever be used as the sole authentication cookie. That's what I
meant by a separate authentication layer.
Thanks to everyone for their responses.
The issue is not about how a user is initially validated, it's about how
you prevent the session ID from being used on a different machine while
it's still active on the server. AFAICT using a signed authentication
cookie will not do this since it's still coming from the client and can
therefore be copied.
The basic question is... is there any way to validate that a session ID
coming from the client is coming from the same client?
I don't believe there is since, as Xing pointed out, anything that comes
from the client can a) be faked, and b) may change from request to
request. This includes the user agent and IP address.
However, I'd like clarification on that just in case there's a reliable
way to make sessions more secure. Oh, and also to validate the argument
I'm making on PHP-General, but that's really a secondary goal ;)
Cheers.
-Stut
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
