>> So if Im to write an online web-based banking system (either in >> Java/JSP, >> PHP, ASP - whatever)... what method would you suggest that IS secure? > > As for the propagation of the session id, there is only one > pseudo-secure > method -- using HTTP basic authentication. On authenticated pages, the > following code can be used to make the session id dependent on the > authentication credentials passed on by the user. I'm quite happy with > it on various sites.
However, HTTP basic authentication is passed the same as session cookies (discussed earlier in this thread) - in the headers of the HTTP communication. This can very easily be faked with something like cURL. The only secure way I have found has been flash inside the web browser, with a blowfish encryption handler. Then the flash app talks to the PHP scripts over HTTPS communicating in XML and passing the session back and forward there. The only way around it is to log every single packet and use packet reconstruction after putting it though a SSL handler and then parse the TCP communication... but theres no way around that one. -- Dan Hardiker [[EMAIL PROTECTED]] ADAM Software & Systems Engineer First Creative Ltd -- PHP Development Mailing List <http://www.php.net/> To unsubscribe, visit: http://www.php.net/unsub.php
