--- Tim Traver <[EMAIL PROTECTED]> wrote: > what I meant by the session data getting stored locally is that it is > local to the web server, not locally on the client browser.
I see. My apologies. Perhaps we should both refrain from using locally and instead use server and client to be clear. :-) > what i meant by "no one can spoof it" is that no one knows what session > variables are stored with what data that is being used to authenticate > that session Yes, now that I see you're speaking about session data on the server, I think the "no one can spoof it" is right. I hesitate to ever say such a thing, only because I know it is too absolute to be true. But, session data is very safe, I agree. > Nice article by the way, and I am indeed already using those same > methods to secure the user session. (I use SHA1 on the IP, PHPSESSIONID, > user agent, and a secret...) Thanks for the kind words. I must point out that you'll never see me suggesting to use the IP address for anything important, especially anything regarding security. Also, George Schlossnagle recently expressed to me that he has observed the User-Agent header changing for the same client. I've never heard of this myself, and he had nothing but his memory of the event to support it, but it's something to keep in mind. I try to never "punish" a user who fails a check, just in case the user isn't actually the bad guy. Rather, I ask the user to re-enter the password or something, which is less problematic (unless the user really is a bad guy). > So, it sounds like the only way for it to set a new cookie is by opening > a new browser app, which would allow you to send a new cookie different > than your other windows, and it doesn't look like I can do that from an > existing window, cause it will always send the same cookie... That's right. Recently, I think someone on this list was describing how a particular version of IE behaves the exact way that you're wanting - it kept cookies separate for each window. I've never seen or heard of this being confirmed, but there's another rumor for you. :-) > darn...I guess I'll have to live with that...hmmmm...maybe I can set it > on a different cookie path...that might work... Yes, there are many options for you if you write a bit of code. One option would be to write your own session handler for the admin side of things, using session_set_save_handler() to register your custom functions. Then, you could do something as simple as appending "admin" to the session identifier before storing and retrieving session data. This would be no less secure than the standard mechanism, and it would allow you to have as many sessions per user as you need. > anyways, thanks for the discussion chris. No problem. I hope this was more helpful. Chris ===== Chris Shiflett - http://shiflett.org/ PHP Security - O'Reilly Coming mid-2004 HTTP Developer's Handbook - Sams http://httphandbook.org/ PHP Community Site http://phpcommunity.org/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
