Melvyn Sopacua wrote: > > We seem to go around in circles :-) > > At 13:08 14-8-2002, you wrote: > >> Melvyn Sopacua wrote: >> >>> At 12:04 14-8-2002, Yasuo Ohgaki wrote: >>> >>>> Aren't we discussing what method of passing session ID is less >>>> secure than others? >>> >>> >>> Yes, but I fail to see what it has to do with security. >>> For instance - I use sessions to store some output that takes a lot >>> of time to generate. Why would that be a security risk for anyone? >> >> >> I thought we aren't talking about such case. >> >> We should provide appropriate level of protection/security >> depends of the information/requirements. >> >> Using URL based session management is probably ok for web >> based chat, but not for web based banking. > > > My point being: session management can be secure for web-based banking > regardless of how it's being delivered. And the opposite also applies: > relying on sessions __only__ to provide information is not ok for web > based banking, regardless whether it's a cookie or not. > > The comments in the php.ini also implies "as long as I use session > cookies I am secure".
Does it? Any improvements are welcome. > There are a lot of novice users out there, who are not only new to php, > but also to programming, webserving and networking. We should not advise > anyone with half of the truth, which can additionally be misinterpreted, > but advise them when sessions can be used as the only descision maker > and when not. We have to set a basis somewhere. I'm assuming users know basic session management issues, even if it's not true for some users. Improvements, additional descriptions, corrections are welcome at any time. -- Yasuo Ohgaki -- PHP Development Mailing List <http://www.php.net/> To unsubscribe, visit: http://www.php.net/unsub.php
