Monty,
The best way to avoid SID "Hijacks" is to assign an IP variable, and an
expiration....
session_register("USERIP");
$_SESSION['USERIP'] = $_SERVER['REMOTE_ADDR'];
session_register("EXPIRES");
$_SESSION['expires'] = time() + 900; // 900 seconds (15 mins)
and then the session has the users Ip address assigned to it and an expirey,
then to check you simply...
if ($_SESSION['expires'] < time()){
die("Your session has expired after 15 minutes of inactivity");}
if ($_SESSION['remoteip'] != $_SERVER['REMOTE_ADDR']){
die ('This session is not valid for you");}
The only problem lies with people on AOL or those that use proxy's because
their IP address can cgange from minute to minute.
With the expirey, make sure you update the expirey on every page after
you've checked it to keep it 15 minutes in the future.
Any more help get in touch.
Bix.
"Monty" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]
> > both the cookie and URL based session passed over without SSL is
insecure.
> > i'd love to know who told you otherwise.
>
> I can't remember the exact sites now, but, the issue was about how much
> easier it is to spoof Sessions when IDs are passed via the URL as opposed
to
> being stored in a cookie.
>
> > perhaps now is the time to re-think all this stuff, decide if you are
going
> > to support everyone (which i would for any paying client with a wide
target
> > market), or skip over those who don't meet your definition of a web
visitor.
>
> After your indepth response, I've re-thought my re-thinking and have gone
> back to wanting to support all users whether or not they have cookies
turned
> on. And, miraculously, I've already got it working, so, thanks for your
> detailed reply.
>
> But going back to the first point, if I'm passing Session IDs via the URL,
> shouldn't I be doing something more to make the site a little more secure?
I
> don't store sensitive data in sessions vars, but, if it allows a
non-paying
> member to hijack a paying member's session, then this is going to be a
> problem. But I'm not sure what more I can do to make the session a little
> more secure and less likely that someone will hijack it. SSL is a little
> overkill for this, as this isn't a bank or financial institution, it's
just
> a little community website.
>
> The log-in for the site is fairly simple: After verifying the username and
> password against what's stored in the DB, it sets up a few session vars
with
> that member's access level and a few other preferences. This is so I don't
> have to continually query the DB for this info on every page.
>
> Is there anything more I can do to make it harder to spoof sessions?
>
> > just to throw another spanner into it all, what happens if I have JS
off?
> > will I still be able to access the content of the pop-ups? i bet not :)
>
> Well, I have to draw the line somewhere. Javascript is used throughout
this
> site for simple things like resizable popups. I'm not willing to dumb it
> down that much.
>
> Thanks!
>
> Monty
>
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
