Rasmus Lerdorf wrote:
Stanislav Malyshev wrote:
The session store is just a session store. It is not a
login/authentication mechanism and thus doesn't have any of the
protections you might want to add to that. Therefore a separate
authentication cookie is needed that can separate the two concepts
I don't see how it's "therefore". Yes, session is just a storage. But
how you derive from it that authentication information can not be stored
in this storage and how the separate cookie is helping you in any way
make it more secure?
Because you don't have full control over the session cookie since it is
generated by PHP. For an authentication cookie you want to layer other
application-specific checks on top of it.
I'm still unclear on how you validate that the authentication cookie
came from the same client machine as the one the application first sent
it to, which was the core of my question.
The answer seems to be that you can't do it reliably.
-Stut
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
