David Price <[EMAIL PROTECTED]> said: > They way I got around this was to create a session key using a MD5 hash of > the session id and the user's IP address. > <SNIP> > > I know that the IP address can be spoofed, but I'm not sending the session > id in the url, so no one knows what it is and without the session id the > session key can not be spoofed. > IP spoofing is only a side issue - some users IP address changes from request to request. WebTV is an example, and users behind proxies is another. I guess I'm looking for the perfect solution here, which just doesn't appear to be possible with HTTP. Maybe a better question is: "What is the ideal model for a PHP4 sessions authentication scheme?" Thanks anyway, adam -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
- [PHP] Stopping stolen / spoofed / linked sessions adam (dahamsta)
- Re: [PHP] Stopping stolen / spoofed / linked sessi... Stephen Cope
- Re: [PHP] Stopping stolen / spoofed / linked sessi... teo
- RE: [PHP] Stopping stolen / spoofed / linked sessi... scott [gts]
- RE: [PHP] Stopping stolen / spoofed / linked sessi... David Price
- Re: [PHP] Stopping stolen / spoofed / linked s... adam (dahamsta)
- Re: [PHP] Stopping stolen / spoofed / linked sessi... Rasmus Lerdorf
- Re: [PHP] Stopping stolen / spoofed / linked s... Jason Brooke
- Re: [PHP] Stopping stolen / spoofed / link... Rasmus Lerdorf
- Re: [PHP] Stopping stolen / spoofed / linked s... adam (dahamsta)
- Re: [PHP] Stopping stolen / spoofed / link... Rasmus Lerdorf
- Re: [PHP] Stopping stolen / spoofed / ... adam (dahamsta)
- Re: [PHP] Stopping stolen / spoof... Christian Reiniger
- Re: [PHP] Stopping stolen / spoofed / linked sessi... adam (dahamsta)
- RE: [PHP] Stopping stolen / spoofed / linked sessi... Robert Klinkenberg
- Re: [PHP] Stopping stolen / spoofed / linked sessi... Bill Rausch