On Jul 8, 2005, at 1:25 PM, Ezra Nugroho wrote:
Here is one security measure that you HAVE to do if you allow people to
submit contents to your site.
1. track client's IP.
2. Associate sensitive cookies with the IP, if they don't match, ignore
it or invalidate the cookie.
We may not stop the information redirection.
We can make the information invalid.
Well, yes and no. If the "bad guy" can get the cookie, it's also likely
that he's got all the
information the valid user is sending you too, such as ip, user agent,
whatever...
So he's probably going to send all that along with the stolen cookie,
and the checks
you have will let him in.
All the ip, user agent, etc. checks do is slow down a brute-force
attack. They have to
guess more than one correct value to get in. But that cookie.... that's
the prize.
Edward Vermillion
evermillion@xxxxxxxxxxxx
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
