The basic question is... is there any way to validate that a session ID coming from the client is coming from the same client?
I'm afraid since there's no way (well, except for described below :) to uniquely and securely identify the clients I don't see how you could do that. You could use client certificates as a secure client identification, and then probably you could verify that current client presented the same valid certificate as before, but that doesn't really belong to sessions - it's external to sessions. Not sure how well PHP support for client certificates is, in any case unless you have a lot of control over your users they probably won't like to install any certificates.
Also, if you use SSL (which you probably do if you care about security), as I see it most frequent way to steal the cookie is to control user's browser. If the hostile code gained control over the user's browser, it's essentially the same client, so you couldn't distinguish it from the legitimate code. You could of course tryng to counter replay attacks (which are only part of the possible attacks) by matching IPs and other auxiliary data but if you don't have secure ID for the client there would be cases when it could be still not enough.
-- Stanislav Malyshev, Zend Products Engineer [EMAIL PROTECTED] http://www.zend.com/ -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
