Roger
On Tue, 2003-09-02 at 14:29, Perrin Harkins wrote:
Did you mean to send this to the list? It only went to me. On Tue, 2003-09-02 at 15:23, Roger Davenport wrote: > The session ID only lasts a certain time.. anywhere from a couple of > minutes to a couple of days (varies widely). SSLv2 is 16 bytes, and > SSLv3/TLS is anywhere from 1 to 32 bytes. The session ID is > essentially a value which saves the client and server from having to > handshake every time. But if you get a matching value, chances are > that you have the same machine if it's within a reasonable amount of > time. > > Roger > > On Tue, 2003-09-02 at 13:40, Perrin Harkins wrote: > > On Tue, 2003-09-02 at 14:23, kfr wrote: > > > Yes, sorry. I have a site that allows my customers to become members via > > > monthly credit card subscription. The problem is we've been getting > > > fraudulent credit card transactions and need some mechanism to detect a user > > > who is a repeat offender so I can detect them trying to submit yet another > > > bogus CC for access. > > > > Okay, that makes sense. Unfortunatey, there's no foolproof way that I'm > > aware of. To begin with, you can try using a cookie. This will stop > > anyone who is not very technical. Beyond that, I have heard that > > there's some kind of unique identifier in SSL that you may be able to > > use. I know this because the f5 big/ip load balancers used it. Check > > into that. > > > > - Perrin
