o ic
check the IP to prevent .
But I have another Q .
1.)
I see from www.php.net , people said they will generate a Session ID by
themselves
srand((double)microtime()*1000000);
$unique_str = md5(rand(0,9999999));
why not to generate by ourself ?
PHP will create itself .
2.)
Will Session have problem when people browse from a http page to a https
page and go out again?
thx
""Christopher Ostmo"" <[EMAIL PROTECTED]> 撰寫於郵件
3B337955.15490.27965520@localhost">news:3B337955.15490.27965520@localhost...
> Bass??? pressed the little lettered thingies in this order...
>
> > I have a Q.
> > will the Session ID be stolen by hacker when the ID tranfer bewteen
client
> > and server ? Then can the hacker send the ID to server and veiw the
user's
> > page ?
> >
>
> Yes. That *can* happen to any non-encrypted transmission that
> passes over an untrusted network. It would be difficult to do, so it's
> unlikely, but it *can* happen. It would require a packet sniffer on your
> network, on the target network or somewhere between.
>
> If you want to prevent this, you should match session ID with requesting
> IP addresss, log both into a database and check both for each page
> request.
>
> If the data being accessed is *that* important that a hacker would go
> through that much trouble to hijack a session, you probably should
> consider using SSL.
>
> Christopher Ostmo
> a.k.a. [EMAIL PROTECTED]
> AppIdeas.com
> Meeting cutting edge dynamic
> web site needs
>
> For a good time,
> http://www.AppIdeas.com/
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
> To contact the list administrators, e-mail: [EMAIL PROTECTED]
>
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
