At 10:52 PM +0200 8/18/07, Michelle Konzack wrote:
Am 2007-08-17 22:07:47, schrieb Bastien Koert:
If cookies are not available, you can either
hide the id in the hidden form field element
or
enable trans_sid to automatically pass the session id in the url
This will be a security risk since Session-Hijacker can grap the URL
Greetings
Michelle Konzack
Systemadministrator
Tamay Dogan Network
Debian GNU/Linux Consultant
When the user first generates a session id, grab the user's ip and
store both in mysql.
In the code, always check the session id against the user's ip before
doing anything. If they don't match with what you started with, then
stop. That should stop most Session-Hijackers, don't you think?
Cheers,
tedd
PS; Back from vacation, and all ready to be retrained.
--
-------
http://sperling.com http://ancientstones.com http://earthstones.com
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
