"Torsten Roehr" <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED] > "Zilvinas Saltys" <[EMAIL PROTECTED]> wrote in message > news:[EMAIL PROTECTED] > > On Fri, 2 Jul 2004 22:45:23 +0000 > > Curt Zirzow <[EMAIL PROTECTED]> wrote: > > > > > * Thus wrote Torsten Roehr: > > > > "Zilvinas Saltys" <[EMAIL PROTECTED]> wrote in message > > > > news:[EMAIL PROTECTED] > > > > > > > > > > The only thing i want to know is all the truth about IE (6?) and > cookies > > > > :) > > > > > > > > > > Heeelp :) > > > > > > > > Sorry to say that but just DO NOT use cookies. You will always have > problems > > > > with users having weird cookie settings in their browser. Cookies are > fine > > > > for intranets where you know the infrastructure you are dealing with. > > > > Passing the session id via GET/POST may be ugly but makes you > independent of > > > > the browser's cookie settings. > > > > > > I would strongly discourage trans_id with sessions that contain > > > sensitive data. > > > > Yes it does contain sensitive data.. And those people cant work with that > data because of IE... > > Those people have to travel from place to place. They can't use mozilla > everywhere or change the IE settings or even to turn the zone alarm off... > > > > So what are your suggestions? Using trans sid is the only solution as i > see now.. No matter how unsafe it is.. Or it looks or works ugly.. > > > > That is the problem :) > > Use SSL and if possible a Virtual Private Network (VPN). You can also call > session_regenerate_id() after successful login: > http://de.php.net/session_regenerate_id > > This adds a bit of additional security because the session id that might be > public before the login will not be of any use to a potential attackerb > because it will change after login. > > Don't use session.use_trans_sid = 1 because it won't work with form actions > and some other elements. I recommend manually adding the session id to all > your links, form actions and header(location) calls. > > Hope this helps a bit. > > Regards, Torsten
One more thing. Store the user's browser id ($_SERVER['HTTP_USER_AGENT']) and/or his IP into the session and on each request compare the stored values to the current submitted values. Regards, Torsten -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
