Richard Lynch wrote:
On Wed, August 29, 2007 4:33 pm, tedd wrote:
At 10:52 PM +0200 8/18/07, Michelle Konzack wrote:
Am 2007-08-17 22:07:47, schrieb Bastien Koert:
If cookies are not available, you can either
hide the id in the hidden form field element
or
enable trans_sid to automatically pass the session id in the url
This will be a security risk since Session-Hijacker can grap the URL
Greetings
Michelle Konzack
Systemadministrator
Tamay Dogan Network
Debian GNU/Linux Consultant
When the user first generates a session id, grab the user's ip and
store both in mysql.
In the code, always check the session id against the user's ip before
doing anything. If they don't match with what you started with, then
stop. That should stop most Session-Hijackers, don't you think?
Cheers,
tedd
PS; Back from vacation, and all ready to be retrained.
You have just booted all AOL users from your website.
They change IP address every request sometimes.
IP is absolutely useless for identification.
Indeed it is. Use the user agent instead and you should be fine.
However, I would not be surprised if there is a user agent out there
somewhere that changes that header when it feels so inclined, but it's
infinitely better than using the IP.
-Stut
http://stut.net/
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
