So you wish to prevent your users from forging GET/POST values and are
willing to rely on client-side cookies ?
How is that any safer ?
On Tue, 2002-08-20 at 09:18, Marko Karppinen wrote:
Sascha:
> If you want your site to be safe, enable
> session.use_only_cookies and be done with it. No amount of
> checking on the server side can otherwise prevent this class
> of attacks.
By the way, does session.use_only_cookies work with
session.use_cookies=off?
I'm using an alternative method (HTTP Basic Authentication) for the
session
id propagation, and would like to prevent users from setting the sid in
get/post
parameters.
mk
--
PHP Development Mailing List <http://www.php.net/>
To unsubscribe, visit: http://www.php.net/unsub.php
Xavier Spriet
Developer/Administrator/Apache Build
Next Dimension Inc.
[EMAIL PROTECTED]
Tel: (519)-945-2032 Ext. 233
