We seem to go around in circles :-)
At 13:08 14-8-2002, you wrote: >Melvyn Sopacua wrote: >>At 12:04 14-8-2002, Yasuo Ohgaki wrote: >>>Aren't we discussing what method of passing session ID is less >>>secure than others? >> >>Yes, but I fail to see what it has to do with security. >>For instance - I use sessions to store some output that takes a lot of >>time to generate. Why would that be a security risk for anyone? > >I thought we aren't talking about such case. > >We should provide appropriate level of protection/security >depends of the information/requirements. > >Using URL based session management is probably ok for web >based chat, but not for web based banking. My point being: session management can be secure for web-based banking regardless of how it's being delivered. And the opposite also applies: relying on sessions __only__ to provide information is not ok for web based banking, regardless whether it's a cookie or not. The comments in the php.ini also implies "as long as I use session cookies I am secure". There are a lot of novice users out there, who are not only new to php, but also to programming, webserving and networking. We should not advise anyone with half of the truth, which can additionally be misinterpreted, but advise them when sessions can be used as the only descision maker and when not. Met vriendelijke groeten / With kind regards, Webmaster IDG.nl Melvyn Sopacua -- PHP Development Mailing List <http://www.php.net/> To unsubscribe, visit: http://www.php.net/unsub.php
