Hi Dan,
This was exactly what I meant to suggest by allowing to time out any
session even active.
Even though your workaround would also definitely make the task harder,
as George pointed out, we still don't have a solution against a
motivated cracker.
I think it would be very good but I am wondering with your
implementation how support will be kept for automated applications.
On Tue, 2002-08-20 at 11:00, Dan Hardiker wrote:
> It is also very conceivable that a person would send a link to a java
> applet or any other kind of wrapper (PHP or other CGI actually would be
> able to establish the connection on the server side always sending the
> same user agent string and sending back the data from your site) to
> establish the session in which case this is rendered useless.
So because its not flawless, we shouldnt try to get as close to perfection
as we can?
I know its not water-tight by any stretch of the imagination, but the more
checking in there, the harder it is for hackers to get the foot in the
door and penetrate. The more abstract the system is (especially on a site
by site basis) the more work a cracker has to do to work out how a host is
authenticated.
At the end of the day, nothing from the client can be trusted - nothing.
So we are never gonna reach perfection when the client is involved in
relaying information.
--
Dan Hardiker [[EMAIL PROTECTED]]
ADAM Software & Systems Engineer
First Creative Ltd
Xavier Spriet
Developer/Administrator/Apache Build
Next Dimension Inc.
[EMAIL PROTECTED]
Tel: (519)-945-2032 Ext. 233
