"Zilvinas Saltys" <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED] > On Fri, 2 Jul 2004 22:45:23 +0000 > Curt Zirzow <[EMAIL PROTECTED]> wrote: > > > * Thus wrote Torsten Roehr: > > > "Zilvinas Saltys" <[EMAIL PROTECTED]> wrote in message > > > news:[EMAIL PROTECTED] > > > > > > > > The only thing i want to know is all the truth about IE (6?) and cookies > > > :) > > > > > > > > Heeelp :) > > > > > > Sorry to say that but just DO NOT use cookies. You will always have problems > > > with users having weird cookie settings in their browser. Cookies are fine > > > for intranets where you know the infrastructure you are dealing with. > > > Passing the session id via GET/POST may be ugly but makes you independent of > > > the browser's cookie settings. > > > > I would strongly discourage trans_id with sessions that contain > > sensitive data. > > Yes it does contain sensitive data.. And those people cant work with that data because of IE... > Those people have to travel from place to place. They can't use mozilla everywhere or change the IE settings or even to turn the zone alarm off... > > So what are your suggestions? Using trans sid is the only solution as i see now.. No matter how unsafe it is.. Or it looks or works ugly.. > > That is the problem :)
Use SSL and if possible a Virtual Private Network (VPN). You can also call session_regenerate_id() after successful login: http://de.php.net/session_regenerate_id This adds a bit of additional security because the session id that might be public before the login will not be of any use to a potential attackerb because it will change after login. Don't use session.use_trans_sid = 1 because it won't work with form actions and some other elements. I recommend manually adding the session id to all your links, form actions and header(location) calls. Hope this helps a bit. Regards, Torsten -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
