Bass??? pressed the little lettered thingies in this order...
> I have a Q.
> will the Session ID be stolen by hacker when the ID tranfer bewteen client
> and server ? Then can the hacker send the ID to server and veiw the user's
> page ?
>
Yes. That *can* happen to any non-encrypted transmission that
passes over an untrusted network. It would be difficult to do, so it's
unlikely, but it *can* happen. It would require a packet sniffer on your
network, on the target network or somewhere between.
If you want to prevent this, you should match session ID with requesting
IP addresss, log both into a database and check both for each page
request.
If the data being accessed is *that* important that a hacker would go
through that much trouble to hijack a session, you probably should
consider using SSL.
Christopher Ostmo
a.k.a. [EMAIL PROTECTED]
AppIdeas.com
Meeting cutting edge dynamic
web site needs
For a good time,
http://www.AppIdeas.com/
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]