Melvyn Sopacua wrote:
> Again - security by obscurity. It does not change the fact, that
> if($_SESSION['logged_in']) { 'good' } is insecure.
> Using a trans-sid only makes things more transparent, which is not equal
> to less secure in my book, but I know opinions vary in that area.
Who is talking about what kind of infomation should be stored in session?
Aren't we discussing what method of passing session ID is less
secure than others?
I forgot to mention issues related to SSL.
Anyway, the fact won't change with or without SSL issue.
URL based sessin management has more risks than cookie's.
Please advise people to consider risks :)
--
Yasuo Ohgaki
--
PHP Development Mailing List <http://www.php.net/>
To unsubscribe, visit: http://www.php.net/unsub.php
