--- Hardik Doshi <[EMAIL PROTECTED]> wrote: > > 1. Include the session identifier in all your URLs > > manually. > > I did this and it works fine. Now by doing this i have > a question pop up in my mind is about Security. What > security measures should i take when i am passing the > session id value on URL? > > > 2. Let PHP do this for you by enabling > > session.use_trans_sid in your > > php.ini. > > With option # 2 i have the same concern of Security. > Please clarify the security measures.
Good question. Basically, if the session identifier is the only thing you use for identification, your implementation is weak in terms of preventing (or even complicating) impersonation. This is true regardless of whether the client passes this identifier as GET data, POST data, or a cookie. Rather than elaborate here, I'll point you to an article I wrote that will hopefully give you a better idea about what sort of things you can do to improve your implementation: http://shiflett.org/articles/the-truth-about-sessions Hope that helps. Chris ===== Chris Shiflett - http://shiflett.org/ PHP Security - O'Reilly Coming mid-2004 HTTP Developer's Handbook - Sams http://httphandbook.org/ PHP Community Site http://phpcommunity.org/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php