* Thus wrote Matthew A. Blasinski ([EMAIL PROTECTED]): > Thanks for the response Chris, that's just the type of thing I was > looking for! > > So, I'm thinking a plausible session id could be made by hashing their > identification (to make it useful to the rightful owner only) with a > private key (to make it hard to get and guess). I think the > identification could be their IP, user agent, and maybe one or two more > constant headers. The private key, of course, could be anything > unguessable and kept secure.
Using the IP of the user may force things to break on the client easily. There are a number of users who are behind proxies that change per request (ie aol users.) thus their session would become obsolete on their next request. Another issue would be inactivity for the session. You could also keep keep track of an internal last_requested variable that would expire after a certain amount of time. > > This leads me to one more question - would it be better to pass this by > PUTing it in the URL or generating it at the start of each page. > Passing is pretty simple, but I think generating it has the added > benefit of the end user being unable to forge it because it never leaves > the server or comes from the client. Does this seem reasonable and > worthwhile? (I have a habit of overcomplicating things like this :-)) I suppose it would depend on how secure you want your session to be from SID hijaking. A generation of key hash per request would be perhaps a little over kill if you are just keeping track of a last page the person was on. Handling sensitive information, however is a different story (ie cc numbers). Curt -- "I used to think I was indecisive, but now I'm not so sure." -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php