On Sun, 2008-11-09 at 22:08 +0200, Thodoris wrote: > O/H Robert Cummings έγραψε: > > On Sun, 2008-11-09 at 12:39 -0600, Micah Gersten wrote: > > > > > Robert Cummings wrote: > > > > > > > On Sun, 2008-11-09 at 12:26 -0600, Micah Gersten wrote: > > > > > > > > > > > Also, by storing the information server side, there is less of > > > > > a chance > > > > > of the user tampering with the data. Storing stuff in the > > > > > session also > > > > > saves on network bandwidth of sending and retrieving the data > > > > > with each > > > > > request. > > > > > > > > > > > > > > Nah, the problem is the same. Tamper with the GET data or tamper > > > > with > > > > the POST date before it goes into the session. Need to check the > > > > incoming data regardless. > > > > > > > > Cheers, > > > > Rob. > > > > > > > > > > > Yes, but once it's in the session, it should be ok. > > > > > > > True, but the same possibility of tampering existed with the POST > > data. > > Therefore the chance of tampering is the same. > > > > Cheers, > > Rob. > > > > Not true because if the data are stored in the cookie every time that > the cookie is accessed the data are passing from the client to the > server. This adds further network traffic and gives the client the > chance to interfere with the cookie's data. So I think that the server > side storage (sessions) is safer because you check once, then store > and use as needed. > > On the other hand sessions give bigger load to the web server.So > another solution could be to encrypt the cookie's data if that is the > way that suits you better in order to make things more secure... You have to check any newly checked posts anyways. So the security implications are the same. Loop over all received IDs and ensure integrity. With the GET system you just reloop over the previously submitted IDs. The result while not equivalent with respect to CPU time, is certainly equivalent with respect to checking security. Cheers, Rob. -- http://www.interjinn.com Application and Templating Framework for PHP -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
