a quick FUD check here...
On Sat, 2006-12-02 at 10:46 -0500, Brett Patterson wrote:
Well, honestly Sessions can be changed by the user easily. There are extensions for Firefox that allow just people who are playing around to modify their session. This can either make or break the system.
No, users cannot modify their php sessions. Through any tool browser tool. The session itself is server side construct that is link to a session id. The session id can be stored in a cookie or passed through get variables.
Session Hijacking can occur if you find out another users session id and spoof either the PHPSESSID get variable or the cookie.
Cookies, while more difficult to modify, are still modifiable, as well as easily visible.
You should be more concerned about cookies than the php session. You can also use salted cookies with the session id, but if someone is watching the wire can has a valid session id, they can probably get the salted cookie just as easily.
One thing that I would suggest is that IF you need to keep the password in the session or in a cookie, the password and other vital information is encrypted in some way, either with the mcrypt library or through a user created encryption method. This would be much safer so that if someone did try to view the information, it would be encrypted. Just my suggestion(s).
I think you're taking a sum 0 approach, a lot of effort for no real results. If you are truly super paranoid you can start a DH request and page signing session when the user logs in, and continue it for each subsequent ajax request. The you would at least be able to guarantee the identity of the end points per session. OpenID has also solved alot of the problems around distributed authentication system and identity verfication, the 2.0 draft should be finalized soon.... It would be cool to have an email service as an identity provider and uses imap as a pwd backend.
darrel.