Stut wrote: > Rasmus Lerdorf wrote: >> Stanislav Malyshev wrote: >>>> The session store is just a session store. It is not a >>>> login/authentication mechanism and thus doesn't have any of the >>>> protections you might want to add to that. Therefore a separate >>>> authentication cookie is needed that can separate the two concepts >>> I don't see how it's "therefore". Yes, session is just a storage. But >>> how you derive from it that authentication information can not be stored >>> in this storage and how the separate cookie is helping you in any way >>> make it more secure? >> >> Because you don't have full control over the session cookie since it is >> generated by PHP. For an authentication cookie you want to layer other >> application-specific checks on top of it. > > I'm still unclear on how you validate that the authentication cookie > came from the same client machine as the one the application first sent > it to, which was the core of my question. > > The answer seems to be that you can't do it reliably.
Correct, which is why it needs to be up to the application. You may deem it appropriate to do it based on ip because your user base aren't likely to be coming from AOL or other dynamic connections, or you may find it useful to tie it to the user agent, or some other mechanism entirely. Like an RSA token plugin thing, for example. But at the general level that can't really be hardcoded into PHP since the right answer will be different for everyone. -Rasmus -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
