On Wed, 19 Feb 2014 11:34:54 -0500, Aziz Saleh wrote
> On Wed, Feb 19, 2014 at 11:22 AM, Vernon Nemitz <vnemitz@xxxxxxxx> wrote:
>
> > If the user has to keep identifying self to the web server,
> > then that is data that the bad guy could obtain as easily
> > as the session ID.
>
> Think about the implementation this way:
>
> function getUserSalt(){ return isset(COOKIE[salt]) ? COOKIE[salt] :
> makeSalt()}
>
> function getUniqueKey(){ return ip + user agent + salt + (other
> unique factors, add as many as you want)}
>
> function getUserSession(){
> set key = getUniqueKey(), set session id = SESSION_ID
> (from url or cookie) check DB for corresponding row with
> those two params, if user exists, use the corresponding
> user id with that session, else destroy the session }
>
> The only way a user can hijack someone's session is if they
> have the cookie value salt + cookie/url value session_id +
> ip + user agent, which I personally think is far fetched.
>
> Aziz
OK, thank you.
vernonner3voltazim
Vernon Nemitz
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
