> So if Im to write an online web-based banking system (either in
> Java/JSP,
> PHP, ASP - whatever)... what method would you suggest that IS secure?
As for the propagation of the session id, there is only one
pseudo-secure
method -- using HTTP basic authentication. On authenticated pages, the
following code can be used to make the session id dependent on the
authentication credentials passed on by the user. I'm quite happy with
it on various sites.
First, in php.ini, we turn off other methods of propagation:
session.use_trans_sid = Off
session.use_cookies = Off
Then, *after the user has been authenticated*, we do this:
if (isset($PHP_AUTH_USER) && isset($PHP_AUTH_PW)) {
session_id(md5("magiccookie".$PHP_AUTH_USER.$PHP_AUTH_PW));
}
session_start();
To my knowledge, this method is completely secure when transport layer
security (ie. SSL) is used, and, when not, as secure as most other
authentication methods where the credentials are transmitted in
cleartext. In my book, this makes it considerably cleaner a propagation
method than the other alternatives.
If someone is documenting the session propagation stuff, maybe this
should be mentioned.
mk
--
PHP Development Mailing List <http://www.php.net/>
To unsubscribe, visit: http://www.php.net/unsub.php
