> > Nice article by the way, and I am indeed already > using those same > > methods to secure the user session. (I use SHA1 on > the IP, PHPSESSIONID, > > user agent, and a secret...) > > Thanks for the kind words. I must point out that > you'll never see me > suggesting to use the IP address for anything > important, especially > anything regarding security.
I read your article about session security on php magazine as well as on php architect. Both are very nice articles. I would like to ask you what is the reason you are not suggesting to use IP address as one of the parts in generating the fingerprint. In php architect magazine (Feb) you have suggested to use session_regenerate_id() on all the pages before i start session. In my application i am storing some variables temporarily into the DB for the specific session ID. Now if session id changes from page to page then how would i retrieve the information back from the DB? What is the reason you are suggesting to use that function? > Also, George Schlossnagle recently expressed to me > that he has observed > the User-Agent header changing for the same client. > I've never heard of > this myself, and he had nothing but his memory of > the event to support it, > but it's something to keep in mind. I try to never > "punish" a user who > fails a check, just in case the user isn't actually > the bad guy. Rather, I > ask the user to re-enter the password or something, > which is less > problematic (unless the user really is a bad guy). Please let me know what should be the best combination of fingerprint. Currently i am using SECRETWORD + user agent + accept charset + session id and hashing it with md5(). Now if someone has pointed that user agent changes for the same browser then i don't think it's worth to add user agent. What do you think? I have one concern for securing the session variables. I may be wrong here. If bad guy steals session id information then he can also produce the same fingerprint too. Because right now i am storing the fingerprint into the session variable and on everypage i am checking the expected fingerprint. So please explain me how bad guy can attack to client machine.. How the fingerprint can save an application from this attack? I am not clear here. Thanks for the nice articles. I am waiting for your future security tips on php architect magazine. Regards, Hardik __________________________________ Do you Yahoo!? Yahoo! Search - Find what you’re looking for faster http://search.yahoo.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
