Hmmm. As I mentioned before, I use 32 bytes long mostly random SessionIDs - that is, there is no ID related to database. The only way to hijack a session is to guess (or probably sniff :) the 32byte ID...
I have no idea how to effectively protect against that. Dossy wrote: > On 2001.12.27, Wojciech Kocjan <[EMAIL PROTECTED]> wrote: > >>I think that anything the user supplies cannot be trusted and as such >>sessions are a real problem to make secure. >> > > What about using using symmetric key crypto to encrypt a sequence > number that gets stored along with the session ID on the client's > machine? This could help defeat replay attacks. > > Outside of that, there's not much I can think of. > > -- Dossy > > -- > Dossy Shiobara mail: [EMAIL PROTECTED] > Panoptic Computer Network web: http://www.panoptic.com/ > "He realized the fastest way to change is to laugh at your own > folly -- then you can let go and quickly move on." (p. 70) > > > >
