On Tue, May 29, 2007 12:04 pm, Stut wrote: > Hi all, > > Just wanted to get your opinion on a discussion currently going on on > the general list. > > Why does the PHP session extension not use something like the user > agent > to validate that a session ID has not been hijacked? Or is this > something that just hasn't been implemented yet?
Could be any of these reasons, I suppose: A) Anybody smart enough to hijack a session, is smart enough to send the same User Agent. B) Valid reasons exist for a user to switch User Agents mid-session, e.g., stupid broken browser bugs that can be worked around by "hijacking" one's own session. (I've done it, at least...) C) It's just too high a level to be done "right" in PHP core, imho. YMMV -- Some people have a "gift" link here. Know what I want? I want you to buy a CD from some indie artist. http://cdbaby.com/browse/from/lynch Yeah, I get a buck. So? -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
