>>This bit confused me slightly ... whats the difference between a >> Session cookie and a Normal cookie? > > It's stored in memory, not on disk.
How you can tell a cookie to be stored in RAM rather than on the HDD, Im not sure ... but that might mean I need to brush up. > For the end-user Mr. Priest, this would be considered even 'less > secure', because he expects it to be deleted and invalid, but the > ISP-forced proxy he's using is logging all headers and Mr. Haxor just > broke in and used the session id to get his order form for vanilla > flavoured condoms. > > Now how did that happen? It's a miracle :-) Now this is where the code dev needs an IQ above 3. *Use IP and Browser String authentication* eg: Load up the session ID given, check the ip and browser string (possibly even referrer) and if they dont match, squeel. Yes, the browser string and referrer can be faked (although some what difficultly without a stream dump of the connection, by which point they have more data than they could hope for... in this case *use https*). The IP is more difficult to forge... but possible, but I think you catch my drift. It does not matter *where* the session id goes client side, it cannot be trusted. Period. In order for sessions to work, you must send a session id to the client, and you must expect to get that back. You have no idea how the client is storing those cookies and even if you tell the cookie "delete yourself and never be seen again" (be a ram or hdd cache cookie) you cant rely on that fact. If Mr Customer can get in - so can Mr Hacker... simple. Where there is a will there is a way. All you can guage is the amount that Mr Hacker needs to know. At the end of the day - if you want to avoid cookies / session id insecurities... use a flash interface with xml sockets (blowfish encrypted). I wont go into the details here, this has gone far enough off topic. -- Dan Hardiker [[EMAIL PROTECTED]] ADAM Software & Systems Engineer First Creative Ltd -- PHP Development Mailing List <http://www.php.net/> To unsubscribe, visit: http://www.php.net/unsub.php
