that?
Wouter
- -Oorspronkelijk bericht-
- Van: Jennifer Goodie [mailto:[EMAIL PROTECTED]
- Verzonden: zaterdag 13 september 2003 0:37
- Aan: Wouter van Vliet; PHP General
- Onderwerp: RE: [PHP] Session stealing, ..
-
-
- 93 # When deserialized we are called and need to
- check
I would also be interested in seeing the code as well. If you could also
e-mail it to me, I would be very appreciative.
Ben
-Original Message-
From: Jason Sheets [mailto:[EMAIL PROTECTED]
Sent: Friday, September 12, 2003 4:56 PM
To: Wouter van Vliet
Cc: PHP General
Subject: Re: [PHP
93 # When deserialized we are called and need to check if the
stored IP address equals the client's
94 function __wakeup() {
95 global $Log;
96 if ($_SERVER['REMOTE_ADDR'] !=
$this-Night['IP']) {
97
I wrote a custom session handler that encrypts the session before it is
stored in /tmp that way even if someone has access to the session files
they are useless.
It stores the randomly generated encryption key on the user's client
base64_encoded, which can be intercepted as well all know but
This all probably takes care about the problem with session id's in the
query string, which is known as referrer to the next website our visitor
visits. What I'm worrying and wondering about now are other users of the
server my site's at. They can most likely go into the /tmp folder and
just read
5 matches
Mail list logo