There's also something I'm using in my session scripts.
I compare the browser referer with all the possible pages it must have come
from in each script, this way the user MUST start from the login page, and
not can simply type the url with the session id. I only tested it with
Internet Explorer >5 and Mozilla (don't remember the version now), it worked
fine.
[]'s
Keyser Soze
----- Original Message -----
From: "Sascha Schumann" <[EMAIL PROTECTED]>
To: "Hans Prins" <[EMAIL PROTECTED]>
Cc: <[EMAIL PROTECTED]>
Sent: Tuesday, February 11, 2003 2:08 AM
Subject: Re: [PHP-DEV] session security
> Can anyone point me to a possible solution for this?
1. Use SSL.
2. Throw away an existing session id, if a user authenticated
successfully (e.g. destroy the old session, and copy the
data into a new one).
3. Provide a logout button which destroys the session.
- Sascha
--
PHP Development Mailing List <http://www.php.net/>
To unsubscribe, visit: http://www.php.net/unsub.php
--
PHP Development Mailing List <http://www.php.net/>
To unsubscribe, visit: http://www.php.net/unsub.php
