Stut wrote: > Hi all, > > Just wanted to get your opinion on a discussion currently going on on > the general list. > > Why does the PHP session extension not use something like the user agent > to validate that a session ID has not been hijacked? Or is this > something that just hasn't been implemented yet?
The user agent is trivial to spoof. If you are going to hijack someone's session, it is very easy to also hijack their user agent string, so I don't see how that solves anything. -Rasmus -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
