Christian Schneider wrote:
Stut wrote:
It doesn't matter where the session ID comes from, the basic point is
that you have to trust it or implement some experience-degrading
mechanism like client certificates, and even there there are few
guarantees.
You want more info to be checked? Simply add a variable containing
user-agent, remove ip, etc. to your session and check that in your
application startup code. If it doesn't match then start a new session.
But as this can lead to various problems (user agent being easy to fake
and not necessarily constant through proxies, remote ip changing in the
middle of a session with proxies or some providers) this should be done
when really needed by the application, not by PHP itself. I'm pretty
sure there already exists a PEAR package or something helping with this.
PEAR::LiveUser supports this. Not sure about PEAR::Auth.
regards,
Lukas
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
