Dan Hardiker wrote: >>I'm not saying cookie based session is perfectly secure, but >>it's obvious to me that URL based session is much less secure >>than cookie one, especially compare to session cookie. > > > URL based session-id transferal is not much less secure, because all the > user has to do is open up their cache and voila, there is the session id.
Again I'm not saying cookie based session is perfectly secure. I'm pointing it out URL based session is less secure than cookie's. > > I publish e-learning sites to colleges and univercities, and I *still* > find that 80% of the places we deliver to dont have cookies enabled > (because of a paranoid sys-admin ... and with the problems reciently found > in IE, I dont blame them for expecting security holes / bugs, really). Don't use IE, there are too many security holes :) > > If you are coding a session handler (ontop of the existing php4 set of > session tools) I would expect the following: > > * Browser ID checking (and whatever information can be relied upon (in > certain cases, ip)) to make sure that the session ID hasnt just been cut > n pasted into an emai > * Time based logout *serverside* and an error message to inform the user > they have been automatically logged out and should they leave their > terminal unattended / stop working with the site - they should do this > themselves. Are you goning to convince people sending URL with active session ID is diificult? or using same session ID is secure? Read 1st reply or current php.ini. Besides, default session save handlers do not check additional parameters to make session more secure. > > >>Session cookie is the best way passing session ID. >>Second best is normal cookie, then URL/POST method. > > > This bit confused me slightly ... whats the difference between a Session > cookie and a Normal cookie? > Session cookie is cookie with life time 0. Almost all browser will not save session cookie to file and it sits in memory. Therefore, it is deleted when browser is closed. I've already described how it could be useful to build a more secure web site with it a little. I believe there are many articles around that recommends session cookie over normal cookie. Reading these will help to understand how URL based session management could be less secure. Please read articles related for more details. -- Yasuo Ohgaki -- PHP Development Mailing List <http://www.php.net/> To unsubscribe, visit: http://www.php.net/unsub.php
