At 12:04 14-8-2002, Yasuo Ohgaki wrote:
>Melvyn Sopacua wrote:
>>Again - security by obscurity. It does not change the fact, that
>>if($_SESSION['logged_in']) { 'good' } is insecure.
>>Using a trans-sid only makes things more transparent, which is not equal
>>to less secure in my book, but I know opinions vary in that area.
>
>Who is talking about what kind of infomation should be stored in session?
There are more out there than you can guess.
>Aren't we discussing what method of passing session ID is less
>secure than others?
Yes, but I fail to see what it has to do with security.
For instance - I use sessions to store some output that takes a lot of time
to generate. Why would that be a security risk for anyone?
>URL based sessin management has more risks than cookie's.
>Please advise people to consider risks :)
It doesn't have any risks if you don't rely on the session ID to be the
only descision maker.
The advice should go into the manual for the use of sessions and advise the
above line. The delivery method then is insignificant. One should use
sessions for storage of information, that otherwise should be looked up in
a database, or to make usibility advices (you did that, then that, so is it
this you want?).
If you use sessions for anything that should be 'for this user's eyes
only', than use additional methods to make sure you are dealing with that user.
Met vriendelijke groeten / With kind regards,
Webmaster IDG.nl
Melvyn Sopacua
--
PHP Development Mailing List <http://www.php.net/>
To unsubscribe, visit: http://www.php.net/unsub.php
