[PHP] Re: About Session And Cookies

2007-08-31 Thread Dan
Wow, you really need to be carefull when ever you're dealing with money, although if you're just handing the objects in a cart and passing that to a secure payment system then it's not as big of a deal. Cookies can be stolen. Sessions are vulnerable to snooping if you're on a shared server. T

Re: [PHP] Re: About Session And Cookies

2007-08-30 Thread Stut
Richard Lynch wrote: On Wed, August 29, 2007 4:33 pm, tedd wrote: At 10:52 PM +0200 8/18/07, Michelle Konzack wrote: Am 2007-08-17 22:07:47, schrieb Bastien Koert: If cookies are not available, you can either hide the id in the hidden form field element or enable trans_sid to automaticall

Re: [PHP] Re: About Session And Cookies

2007-08-29 Thread Richard Lynch
On Wed, August 29, 2007 4:33 pm, tedd wrote: > At 10:52 PM +0200 8/18/07, Michelle Konzack wrote: >>Am 2007-08-17 22:07:47, schrieb Bastien Koert: >>> >>> If cookies are not available, you can either >>> >>> hide the id in the hidden form field element >>> or >>> enable trans_sid to automatical

Re: [PHP] Re: About Session And Cookies

2007-08-29 Thread Kirk Friggstad
On 8/29/07, tedd <[EMAIL PROTECTED]> wrote: > When the user first generates a session id, grab the user's ip and > store both in mysql. > > In the code, always check the session id against the user's ip before > doing anything. If they don't match with what you started with, then > stop. That shoul

[PHP] Re: About Session And Cookies

2007-08-29 Thread tedd
At 10:52 PM +0200 8/18/07, Michelle Konzack wrote: Am 2007-08-17 22:07:47, schrieb Bastien Koert: If cookies are not available, you can either hide the id in the hidden form field element or enable trans_sid to automatically pass the session id in the url This will be a security risk sin

Re: [PHP] Re: About Session And Cookies

2007-08-21 Thread Kelvin Park
Hello, thanks for all the replies. However, since I'm not very familiar with trans_sid I'll do some research on that. Michelle Konzack, if hiding the id in hidden form field element or enabling trans_sid could lead to security risks, what would you recommend as an alternative method to safely tran

[PHP] Re: About Session And Cookies

2007-08-21 Thread Michelle Konzack
Am 2007-08-17 22:07:47, schrieb Bastien Koert: > > If cookies are not available, you can either > > hide the id in the hidden form field element > or > enable trans_sid to automatically pass the session id in the url This will be a security risk since Session-Hijacker can grap the URL Greeting