Thanks everyone. You've done a good job of assuring me that I haven't missed the whole point of the way these things work.
There's been some really useful ideas, suggested and I'm going to have a think about which, if any, are worth implementing. Ultimitely I'm upgrading our site from normal Basic authentication, which sends username and password unencrypted anyway, so compared to that the security upgrade is still a big increase! Marty --- Sam Tregar <[EMAIL PROTECTED]> wrote: > On Mon, 8 Nov 2004, Martin Moss wrote: > > > I'm looking into ways of uniquely identifying a > > computer. > > Intel tried to implement this a while back with a > unique ID in the > CPU. The public was not ammused. If you do find a > way, please tell > us so we can find a workaround. > > > What I wish to do is prevent another user copying > the > > session cookie, from one computer to another, and > then > > gaining access. > > You can get close by using a very short session > timeout, tying the IP > to the cookie and putting a serial number on each > form. I believe > this is what my bank does. Sure, the IP can be > spoofed or shared, and > hackers can automate systems to defeat the timeouts > and serial > numbers, but it definitely raises the bar. As an > added bonus, the > serial numbers also help with the ubiquitous > catastrophe which is the > back button. > > -sam > > -- > Report problems: http://perl.apache.org/bugs/ > Mail list info: > http://perl.apache.org/maillist/modperl.html > List etiquette: > http://perl.apache.org/maillist/email-etiquette.html > > ___________________________________________________________ALL-NEW Yahoo! Messenger - all new features - even more fun! http://uk.messenger.yahoo.com -- Report problems: http://perl.apache.org/bugs/ Mail list info: http://perl.apache.org/maillist/modperl.html List etiquette: http://perl.apache.org/maillist/email-etiquette.html
