--- "Chris W. Parker" <[EMAIL PROTECTED]> wrote:
> > Not a good method. If I get on your site and see my cookie has the
> > value 241757219 in it, I just need to subtract one from the number
> > and revisit your site. Now I'm the user who registered before me.
> > Using the rand() or uniqid() method above means I have to guess an
> > entire random number / character sequence, which is going to be
> > harder (or nearly impossible).
>
> But that would require that you register immediately after the person
> before you. Then you could compare the two numbers and figure out what
> the base number is, but that seems REALLY unlikely.
>
> Can you explain it a little different maybe?
Well, never underestimate the persistence of the bad guys. They will try for
hours and hours to guess a session ID, and if yours are sequential, they're
much easier to guess than if they are random. This actually follows along the
"no security through obscurity" rule.
In addition to this, there are many other ways session IDs can be disclosed to
the bad guy. So, eliminate the chances of a guess, but don't just stop there.
Hope that helps.
Chris
=====
My Blog
http://shiflett.org/
HTTP Developer's Handbook
http://httphandbook.org/
RAMP Training Courses
http://www.nyphp.org/ramp
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
