 |
 |
 |
 |
|
|
php-general | 2001062
Date: 06/28/01
- Next message: Don Read: "RE: [PHP] Mail slow"
- Previous message: Romulo Roberto Pereira: "[PHP] parse error in PHP Manual in php web site..."
- In reply to: David Price: "RE: [PHP] Stopping stolen / spoofed / linked sessions"
- Next in thread: Rasmus Lerdorf: "Re: [PHP] Stopping stolen / spoofed / linked sessions"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
David Price <dprice <email protected>> said:
> They way I got around this was to create a session key using a MD5 hash of
> the session id and the user's IP address.
>
<SNIP>
>
> I know that the IP address can be spoofed, but I'm not sending the session
> id in the url, so no one knows what it is and without the session id the
> session key can not be spoofed.
>
IP spoofing is only a side issue - some users IP address changes from request
to request. WebTV is an example, and users behind proxies is another.
I guess I'm looking for the perfect solution here, which just doesn't appear
to be possible with HTTP. Maybe a better question is: "What is the ideal
model for a PHP4 sessions authentication scheme?"
Thanks anyway,
adam
-- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: php-general-unsubscribe <email protected> For additional commands, e-mail: php-general-help <email protected> To contact the list administrators, e-mail: php-list-admin <email protected>
- Next message: Don Read: "RE: [PHP] Mail slow"
- Previous message: Romulo Roberto Pereira: "[PHP] parse error in PHP Manual in php web site..."
- In reply to: David Price: "RE: [PHP] Stopping stolen / spoofed / linked sessions"
- Next in thread: Rasmus Lerdorf: "Re: [PHP] Stopping stolen / spoofed / linked sessions"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
