> I'm not saying cookie based session is perfectly secure, but > it's obvious to me that URL based session is much less secure > than cookie one, especially compare to session cookie.
URL based session-id transferal is not much less secure, because all the user has to do is open up their cache and voila, there is the session id. I publish e-learning sites to colleges and univercities, and I *still* find that 80% of the places we deliver to dont have cookies enabled (because of a paranoid sys-admin ... and with the problems reciently found in IE, I dont blame them for expecting security holes / bugs, really). If you are coding a session handler (ontop of the existing php4 set of session tools) I would expect the following: * Browser ID checking (and whatever information can be relied upon (in certain cases, ip)) to make sure that the session ID hasnt just been cut n pasted into an emai * Time based logout *serverside* and an error message to inform the user they have been automatically logged out and should they leave their terminal unattended / stop working with the site - they should do this themselves. Security is just an illusion in the end anyway - its the user that is the prime culprit of security evasion, and the end point is: no matter how you do it - you have to get a unique session key / id from the client back to the server in some way. Because this is stored on the client (either as cookie, url or in the outputed code somewhere), it will always have a flaw. > Session cookie is the best way passing session ID. > Second best is normal cookie, then URL/POST method. This bit confused me slightly ... whats the difference between a Session cookie and a Normal cookie? -- Dan Hardiker [[EMAIL PROTECTED]] ADAM Software & Systems Engineer First Creative Ltd -- PHP Development Mailing List <http://www.php.net/> To unsubscribe, visit: http://www.php.net/unsub.php
