I can't answer your overall question but I can tell you that a 'resourceful' hacker can also easily spoof an IP address, or so I'm told ;)
Why not just have the entire session encrypted. The user could browse around the catalog sessionless and as soon as a cart was necessary (wants to put something in it) the https starts. (?) Drew Lopucki [EMAIL PROTECTED] -----Original Message----- From: Steve Clay [mailto:[EMAIL PROTECTED]] Sent: Tuesday, March 19, 2002 7:13 AM To: PHP-GENERAL Subject: [PHP] sessions not so secure..solution? Hello, I'm building an e-commerce site which uses sessions to hold my $cart object. This works great but I've two worries: 1) When the user connects through our secure hostname, can I ensure the browser will send the server the cookie (w/ SESSID)? The user will shop through domain.com and checkout via https:secure.domain.com. (haven't got cert yet) 2) While the user shops the SESSID is thrown around insecurely (no big deal, just a cart). But when I move the user to a secure server to get sensitive info a resourceful hacker could also go to the checkout script using this SESSID and 'confirm' the real user's personal details (kept in another registered session object). If I can't keep the user's details in the old session, can I delete the old session and copy the cart to a new session? Should I do this anytime the user goes back to the insecure site and returns to finish checking out? As an alternative, would there be any problems with keeping the IP of the user in a session variable for further authentication? I assume I'd record the IP immediately upon checking in at the secure server then enforcing this per request. That way, worst case scenario the hackers gets a SESSID and heads to checkout first, server restricts real user from accessing (because of different IP). This is my first time coding for a secure server and my first post here as well.. Steve -- [EMAIL PROTECTED] ** http://mrclay.org -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
