 |
 |
 |
 |
|
|
Date: 04/27/00
- Next message: Roundeye: "Re: [phplib] Disallowing infinite incorrect passwords"
- Previous message: Claas Hilbrecht: "[phplib] cart set_item() problem"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Hello Philip,
Thursday, April 27, 2000, 10:51:55 AM, you wrote:
>> Without a cookie You can't identify the user for sure. Don't rely on IPs.
PS> Couldn't one just use a session variable? Or am I missing something?
How will You track a user, if he won't supply the session id?
One can disable cookies or delete them.
One can strip session id's from the url in GET mode, while cookies are
disabled.
So, new sessions will be initiated, and all the session vars become
obsolete.
So, that passord cracking could be prevented. But only if the user
does not play with the session id's. I said about cookies, cause
cookies don't so obvious for the user, as the session id in the url in
his browser window.
My conclusion is, one can use cookies, or get method, and session vars
to get rid of password crackers, but this protection could be easily
cracked. You should not rely on it. One who's really care of his
passwords should prevent easy-guessed, short and silly passwords in
his system instead. For a cracker, even if he wrote a script to automate
password guessing, it would be too difficult to crack a really good
password via the web. It could take years :)
-- Best regards, Max A. Derkachev--------------------------------------------------------------------- To unsubscribe, e-mail: phplib-unsubscribe <email protected> For additional commands, e-mail: phplib-help <email protected>
- Next message: Roundeye: "Re: [phplib] Disallowing infinite incorrect passwords"
- Previous message: Claas Hilbrecht: "[phplib] cart set_item() problem"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]