"Keyser Soze" <[EMAIL PROTECTED]> wrote... :
> There's also something I'm using in my session scripts. > I compare the browser referer with all the possible pages it must have come > from in each script, this way the user MUST start from the login page, and > not can simply type the url with the session id. I only tested it with > Internet Explorer >5 and Mozilla (don't remember the version now), it worked > fine. This is an insecure method as HTTP_REFERER is being sent by browser. One can simply create a socket connection inputing that variable into the HTTP request headers. -- Maxim Maletsky [EMAIL PROTECTED] > []'s > Keyser Soze > > ----- Original Message ----- > From: "Sascha Schumann" <[EMAIL PROTECTED]> > To: "Hans Prins" <[EMAIL PROTECTED]> > Cc: <[EMAIL PROTECTED]> > Sent: Tuesday, February 11, 2003 2:08 AM > Subject: Re: [PHP-DEV] session security > > > > > Can anyone point me to a possible solution for this? > > 1. Use SSL. > 2. Throw away an existing session id, if a user authenticated > successfully (e.g. destroy the old session, and copy the > data into a new one). > 3. Provide a logout button which destroys the session. > > - Sascha > > -- > PHP Development Mailing List <http://www.php.net/> > To unsubscribe, visit: http://www.php.net/unsub.php > > > > > > -- > PHP Development Mailing List <http://www.php.net/> > To unsubscribe, visit: http://www.php.net/unsub.php > -- PHP Development Mailing List <http://www.php.net/> To unsubscribe, visit: http://www.php.net/unsub.php
