keep the current user's IP address or timestamp in a
database with the session ID.
if the session is requested by someone with a different
IP or too-late timestamp, give the requesting user a
new session.
> -----Original Message-----
> From: adam (dahamsta) [mailto:[EMAIL PROTECTED]]
> Sent: Wednesday, June 27, 2001 1:39 PM
> To: [EMAIL PROTECTED]
> Subject: [PHP] Stopping stolen / spoofed / linked sessions
>
>
> [Please copy replies off-list.]
>
> I want to use PHP4 sessions for authentication, but I'm having difficulty
> understanding how to get around users spoofing, stealing or linking sessions.
> Here's an example: Alice sends Bob a link from a site she's logged into.
> Alice has cookies turned off in her browser, so the session id will be in the
> URL she sends Bob. Eve intercepts the message, follows the link and now she
> can take over Alice's session, and any data that is associated with that
> session. For that matter, Bob can do the same thing.
>
> I can think of lots of ways around this, but most of them are kludges that
> don't really cut it. I can store a second authentication value in a cookie,
> but that would require cookies, which isn't acceptable. I could propogate a
> second authentication variable in the URL, but that's a lot of hassle and
> defeats the purpose of PHP sessions. I can check the HTTP_REFERER to see if
> the user came from my own site, but that can be spoofed. I can log and check
> the users IP address, but that can't be relied upon.
>
> Is there any reliable way around this? Am I missing something obvious?
>
> Cheers,
> adam
>
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
> To contact the list administrators, e-mail: [EMAIL PROTECTED]
>
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]