But there's a huge problem with this method if the user submitted a form the token would get lost, unless you generate the token in a hidden field.
Yet if the user clicks back and then visits a link it would kick him out, because he requested that page using an invalid token. Ammar --- Ala'a Ibrahim <[EMAIL PROTECTED]> wrote: > alright, with every link I send, I let the client > send me a number only from > his browser, not a cookie, and it's stored in the > session on the server, so > if you steel the session ID cookie, and try to > connect through it, he has to > send the same number every time, so steeling the > session alone is not > enough, you have to steel this number too, but this > number would be sent > through https, so sniffing it wouldn't give you the > result. > > with every click from the browser, I check for that > number, if it's invalid > I refuse the connection. > > On 3/1/06, zaid emeish <[EMAIL PROTECTED]> wrote: > > > > can you be more descriptive? > > So if somebody steels the session cookie what > difference does it make if u > > depend on that cookie? u added nothing but > overhead to ur application, if I > > am not mistaken. Please be more descriptive with > the solution. > > > > Thanks > > Zaid > > > > > > On 3/1/06, Khair-ed Din Husseini > <[EMAIL PROTECTED]> wrote: > > > > > > Wouldn't it be pretty useless to store this > information depending on > > > the session? > > > > > > Ok if you use the values only for that session > then it is useful. > > > > > > > > > > > > Hence you could not provide such things like > login remembrance�or am I > > > wrong? > > > ------------------------------ > > > > > > *From:* [EMAIL PROTECTED] [mailto: > [EMAIL PROTECTED] *On Behalf > > > Of *Ala'a Ibrahim > > > *Sent:* Wednesday, March 01, 2006 17:26 > > > > > > *To:* Jordan PHP User Group Mailing list > > > *Subject:* Re: [JoPHP] Cookies Security Threats > with IE > > > > > > > > > > > > Got it, a friend had solved it, with every page > I would send a some > > > secret code, generated from alot of things > including a random thing, and > > > stored in the session, so somebody steals all > the cookies, he also needs to > > > know what this code is, which is only > transmitted through an https > > > connection. I guess this would solve the thing. > > > > > > On 2/28/06, *zaid emeish* <[EMAIL PROTECTED]> > wrote: > > > > > > The security level you seek is relevent to the > importance of the data > > > you are protecting, so if you are protecting > things that are recoverable and > > > not that much of risk you don't need to go far > with protection, but if you > > > are protecting data like credit card numbers and > social security numbers you > > > might want to ask for the username and password > before seeing this page, > > > just like amazone; they let you shop on their > site but when it comes to > > > payement they require new login. And a good > practice i saw is that if the > > > person is idle for a certain ammount of time ( > e.g not clicking or doing > > > any action) you can terminate the session and > require a new login. there are > > > lots of things you can do but they can be > expensive on the application or > > > usibility, so you really need to know what you > are protecting and how far > > > you want to go with that. > > > > > > And i agree that IP checking is not a > perfferable idea, cuz some ISPs > > > here use clustered proxies so the user would > have a different IP on every > > > new page they hit. > > > > > > > > > On 2/28/06, *Anubis HH* > <[EMAIL PROTECTED]> wrote: > > > > > > > > > > > > --- Ala'a Ibrahim <[EMAIL PROTECTED]> wrote: > > > > > > > I thought of that, but the thing that I > mentioned an > > > > Internet Cafe is that > > > > the same 2 computers has the IP address for > me, > > > > > > Use the User Agent also. even in cafe's most > probably > > > it's not the same. use referer also. > > > > > > > > > > __________________________________________________ > > > Do You Yahoo!? > > > Tired of spam? Yahoo! Mail has the best spam > protection around > > > http://mail.yahoo.com > > > > > > _______________________________________________ > > > Jordan PHP Users Group > > > http://php.jolug.org/ > > > Php mailing list > > > [email protected] > > > > http://mail.jolug.org/mailman/listinfo/php_jolug.org > > > > > > > > > > > > _______________________________________________ > > > Jordan PHP Users Group > > > http://php.jolug.org/ > > > Php mailing list > > > [email protected] > > > > http://mail.jolug.org/mailman/listinfo/php_jolug.org > > > > > > > > > > > > > > > -- > > > Ala'a A. > Ibrahim > > > http://alaa83.blogspot.com/ > > > > > > _______________________________________________ > > > Jordan PHP Users Group > > > http://php.jolug.org/ > > > Php mailing list > > > [email protected] > > > > http://mail.jolug.org/mailman/listinfo/php_jolug.org > > > > > > > > > > > > > _______________________________________________ > > Jordan PHP Users Group > > http://php.jolug.org/ > > Php mailing list > > [email protected] > > > http://mail.jolug.org/mailman/listinfo/php_jolug.org > > > > > > > > > -- > Ala'a A. Ibrahim > http://alaa83.blogspot.com/ > > _______________________________________________ > Jordan PHP Users Group > http://php.jolug.org/ > Php mailing list > [email protected] > http://mail.jolug.org/mailman/listinfo/php_jolug.org > __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com _______________________________________________ Jordan PHP Users Group http://php.jolug.org/ Php mailing list [email protected] http://mail.jolug.org/mailman/listinfo/php_jolug.org
