I'm still unclear on how you validate that the authentication cookie
came from the same client machine as the one the application first sent
it to, which was the core of my question.
The answer seems to be that you can't do it reliably.
As far as I understand, no, you can't, unless you have secure external
means to establish client identity (like client certificate).
--
Stanislav Malyshev, Zend Products Engineer
[EMAIL PROTECTED] http://www.zend.com/
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
