--- "Matthew A. Blasinski" <[EMAIL PROTECTED]> wrote:
So, I'm thinking a plausible session id could be made by hashing their identification (to make it useful to the rightful owner only) with a private key (to make it hard to get and guess). I think the identification could be their IP, user agent, and maybe one or two more constant headers. The private key, of course, could be anything unguessable and kept secure.
A few comments...
This session ID doesn't have to be generated from any user data. It can be a completely random and unique string that you generate for any user who arrives at your site without an active session. Even though it is probably very difficult to reverse or guess a valid ID from your method above, the extra risk isn't necessary.
Also, the IP address isn't a very good piece of data to use, because it is not necessarily consistent. So, while it might make things harder for the bad guys (to spoof the good guy's IP), it could also can make things hard for the good guys (they are AOL users, lose their modem connection, etc.).
Thanks for everyone's responses. I was thinking the IP would be usable for tracking users, and a lot of people have pointed out that's not the case. So, I'll probably go with passing it in the URL.
Thanks again,
-- Matt Blasinski (mbv) Internet Infrastructure Applications Technology Division of Information Technology 3121 Computer Science and Statistics 1210 West Dayton Street Madison WI 53706 Work (608) 262-2286 Cell (608) 206-4098
-- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
