On Tue, 16 Apr 2002 14:51, Manuel Lemos did align ASCII characters thusly:
> > > then stored in cookie. The security weakness of this method is that if
> > > the secret key leaks, hackers may use to forge new sessions.
> >
> > Is this documented anywhere?
> Anyway what part didn't you
> understand?

I think I understand all of it. Serialization of a session (or session 
object) is fairly straightforward and I know how to store that in a cookie. I 
was just hoping there was a "cookbook" out there. Don't have any classes on 
your site that do this do you?  ;-)

> > > accesses to just one after the server is restarted. This is probably
> > > the one you want to use as long you know how to deal with shared memory
> > > and semaphores.
> >
> > Is this documented anywhere?
> Probably only in my mind . :-)

Can I borrow it????

> I guess you mean HTTP based authentication. 


> No, AFAIK that is very
> unsecure because you can't end a "session" because browsers cache
> authenticated passwords and only drop them (of they do, IE may not do
> it) when you quit your browser. If you leave your browser terminal for
> some time, somebody may come in and take advantage of your account
> privileges.

The physical security of the users machine is their responsibility. I'm 
looking for good security, ease of implementation, and scalability.

At the moment it seems to be a case of "pick any two".


PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to