Depends on what you want to do, first you have to define what are valid
sessions,
So think of things like this
- One Session can only come from one IP address
- A session ID that was created n minutes ago is no longer valid
- A user using Netscape x can't be using IExplorer y
....
After a user connects to you with a session ID you could check all those
things
yourself in your PHP script and respond appropriately. In this case, store
the
session in a Database with the remote IP address, expire the Session and
check
the referer. That should block a lot of script kiddies but of course slows
down the
site.
Also, it's not that hard to create cookies by hand so that won't stop people
who realy
want to enter your site :-( and remember sessions are not meant to be
secure,
that is why we have SSL :-)
Robert Klinkenberg
> -----Oorspronkelijk bericht-----
> Van: Bill Rausch [SMTP:[EMAIL PROTECTED]]
> Verzonden: Saturday, June 30, 2001 12:43 AM
> Aan: [EMAIL PROTECTED]
> Onderwerp: AW: [PHP] Stopping stolen / spoofed / linked sessions
>
> Sebastian Stadtlich said:
>
> >there is an option in php ini :
> >
> >session.referer_check =
> >
> >which should fit your needs
> >
> >not sure how to use it, but probably one of the php-developers on this
> >list can assist...
>
> I looked at this thing and can't figure out that it does very much.
> If someone makes a web page that contains a link to my site that
> contains the PHPSESSID=... then that session id will be invalid.
> However, if they just type the same string into their browser by
> hand, it is accepted?
>
> It seems that there is no stopping session spoofing if using the URL
> method. The only work around is to expire sessions quickly or to
> require that cookies be used?
>
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
