with every click from the browser, I check for that number, if it's invalid I refuse the connection.
can you be more descriptive?
So if somebody steels the session cookie what difference does it make if u depend on that cookie? u added nothing but overhead to ur application, if I am not mistaken. Please be more descriptive with the solution.
ThanksZaidOn 3/1/06, Khair-ed Din Husseini <[EMAIL PROTECTED]> wrote:Wouldn't it be pretty useless to store this information depending on the session?
Ok if you use the values only for that session then it is useful.
Hence you could not provide such things like login remembrance…or am I wrong?
From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Ala'a Ibrahim
Sent: Wednesday, March 01, 2006 17:26
To: Jordan PHP User Group Mailing list
Subject: Re: [JoPHP] Cookies Security Threats with IE
Got it, a friend had solved it, with every page I would send a some secret code, generated from alot of things including a random thing, and stored in the session, so somebody steals all the cookies, he also needs to know what this code is, which is only transmitted through an https connection. I guess this would solve the thing.
On 2/28/06, zaid emeish <[EMAIL PROTECTED]> wrote:
The security level you seek is relevent to the importance of the data you are protecting, so if you are protecting things that are recoverable and not that much of risk you don't need to go far with protection, but if you are protecting data like credit card numbers and social security numbers you might want to ask for the username and password before seeing this page, just like amazone; they let you shop on their site but when it comes to payement they require new login. And a good practice i saw is that if the person is idle for a certain ammount of time ( e.g not clicking or doing any action) you can terminate the session and require a new login. there are lots of things you can do but they can be expensive on the application or usibility, so you really need to know what you are protecting and how far you want to go with that.
And i agree that IP checking is not a perfferable idea, cuz some ISPs here use clustered proxies so the user would have a different IP on every new page they hit.
On 2/28/06, Anubis HH <[EMAIL PROTECTED]> wrote:
--- Ala'a Ibrahim <[EMAIL PROTECTED]> wrote:
> I thought of that, but the thing that I mentioned an
> Internet Cafe is that
> the same 2 computers has the IP address for me,
Use the User Agent also. even in cafe's most probably
it's not the same. use referer also.
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
_______________________________________________
Jordan PHP Users Group
http://php.jolug.org/
Php mailing list
[email protected]
http://mail.jolug.org/mailman/listinfo/php_jolug.org
_______________________________________________
Jordan PHP Users Group
http://php.jolug.org/
Php mailing list
[email protected]
http://mail.jolug.org/mailman/listinfo/php_jolug.org
--
Ala'a A. Ibrahim
http://alaa83.blogspot.com/
_______________________________________________
Jordan PHP Users Group
http://php.jolug.org/
Php mailing list
[email protected]
http://mail.jolug.org/mailman/listinfo/php_jolug.org
_______________________________________________
Jordan PHP Users Group
http://php.jolug.org/
Php mailing list
[email protected]
http://mail.jolug.org/mailman/listinfo/php_jolug.org
--
Ala'a A. Ibrahim
http://alaa83.blogspot.com/
_______________________________________________ Jordan PHP Users Group http://php.jolug.org/ Php mailing list [email protected] http://mail.jolug.org/mailman/listinfo/php_jolug.org
