--- "Matthew A. Blasinski" <[EMAIL PROTECTED]> wrote: > So, I'm thinking a plausible session id could be made by hashing > their identification (to make it useful to the rightful owner > only) with a private key (to make it hard to get and guess). I > think the identification could be their IP, user agent, and maybe > one or two more constant headers. The private key, of course, > could be anything unguessable and kept secure.
A few comments... This session ID doesn't have to be generated from any user data. It can be a completely random and unique string that you generate for any user who arrives at your site without an active session. Even though it is probably very difficult to reverse or guess a valid ID from your method above, the extra risk isn't necessary. Also, the IP address isn't a very good piece of data to use, because it is not necessarily consistent. So, while it might make things harder for the bad guys (to spoof the good guy's IP), it could also can make things hard for the good guys (they are AOL users, lose their modem connection, etc.). So doesn't this contradict everything I mentioned previously? No, the data I mentioned keeping (User-Agent is my favorite example) is data that you can keep on the server within the session, such as: $_SESSION['user_agent'] = $_SERVER['USER_AGENT']; That would be the first tme, of course. Since session variables aren't sent to/from the client (unless you output one, of course), they are safer than things transmitted across the public Internet. So, the session ID doesn't have to have any data within it that makes it useless to anyone but the rightful owner - the session that it is associated with on the server can instead. This might make things simpler for you. > This leads me to one more question - would it be better to pass > this by PUTing it in the URL or generating it at the start of > each page. Passing is pretty simple, but I think generating it > has the added benefit of the end user being unable to forge it > because it never leaves the server or comes from the client. You lost me with that bit. While it is good that you want to eliminate any unnecessary transmission of data across the Internet, the session ID is the one thing the client *must* send you in order for you to maintain session. It is how you identify who it is. Maybe you can rephrase what you're asking? Hope that helps. Chris ===== Become a better Web developer with the HTTP Developer's Handbook http://httphandbook.org/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
