Thx guys, I'll play around with it some more and see if I can secure it some more :)
Hans Prins "Keyser Soze" <[EMAIL PROTECTED]> schreef in bericht 009201c2d1cd$ec7cd4e0$81aed2c8@keysersoze">news:009201c2d1cd$ec7cd4e0$81aed2c8@keysersoze... > There's also something I'm using in my session scripts. > I compare the browser referer with all the possible pages it must have come > from in each script, this way the user MUST start from the login page, and > not can simply type the url with the session id. I only tested it with > Internet Explorer >5 and Mozilla (don't remember the version now), it worked > fine. > > []'s > Keyser Soze > > ----- Original Message ----- > From: "Sascha Schumann" <[EMAIL PROTECTED]> > To: "Hans Prins" <[EMAIL PROTECTED]> > Cc: <[EMAIL PROTECTED]> > Sent: Tuesday, February 11, 2003 2:08 AM > Subject: Re: [PHP-DEV] session security > > > > > Can anyone point me to a possible solution for this? > > 1. Use SSL. > 2. Throw away an existing session id, if a user authenticated > successfully (e.g. destroy the old session, and copy the > data into a new one). > 3. Provide a logout button which destroys the session. > > - Sascha > > -- > PHP Development Mailing List <http://www.php.net/> > To unsubscribe, visit: http://www.php.net/unsub.php > > > > -- PHP Development Mailing List <http://www.php.net/> To unsubscribe, visit: http://www.php.net/unsub.php
