 |
 |
 |
 |
|
|
Date: 03/31/00
- Next message: Milen A. Radev: "[PHPLIB] Problem with "$sess->padd_query()""
- Previous message: lennart benoot: "Re: [PHPLIB] Session Hijacking"
- In reply to: lennart benoot: "Re: [PHPLIB] Session Hijacking"
- Next in thread: Kristian Koehntopp: "Re: [PHPLIB] Session Hijacking"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
On Fri, Mar 31, 2000 at 10:27:29AM +0200, lennart benoot wrote:
> Hello,
>
> this is a reply on my own mail. maybe a bit strange but i've become wiser
> in the past hour. IP checking often insn't usefull because lots of
> providers (ex. AOL) use the same IP (to the outside network) for large
> numders of clients. I even heard of a large provider only using 4 IP's.
> This, of course, makes the whole idea of IP checking redundant since it
> does not improve security very much.
>
if you save the IP depending on the Session-ID and if possible setting the
Session-Cookie, it is very hard to hijack the session.
i know, these argmunents doesnt improve the security for phplib, but you cant
guaranty an absolut secure session without SSL. Thats one reason, why onlineshops use
SSL.
-- Stefan Zosel <zosel <email protected>> (Consulting) * ID-PRO Deutschland GmbH * Am Hofgarten 20 * 53113 Bonn * Tel. +49 (0)228 - 4 21 54-43 * Fax -59 * http://open-for-the-better.com/ - PHP3 Base Library Mailing List. Send messages to <phplib <email protected>>. To unsubscribe, send "unsubscribe" to <phplib-request <email protected>> in the body, not the subject, of your message.
- Next message: Milen A. Radev: "[PHPLIB] Problem with "$sess->padd_query()""
- Previous message: lennart benoot: "Re: [PHPLIB] Session Hijacking"
- In reply to: lennart benoot: "Re: [PHPLIB] Session Hijacking"
- Next in thread: Kristian Koehntopp: "Re: [PHPLIB] Session Hijacking"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]