-----Mensagem original-----
De: Nitsan Bin-Nun [mailto:[EMAIL PROTECTED]
<snip>
The session.use_trans_sid setting automaticly adds
> sid=**(32-chars-sess-id)**
>
to the url's of the website,
it should solve your problem
</snip>
ME -> I added "session.use_trans_sid = 1" to the beggining of my php.ini
file and I don't see that sid parameter in any $_GET value.
ME -> Nothing has changed, nothing. :/
ME -> Will I have to use url_rewrite()? Is that what Daniel was talking
about?
try to use it if you have an access to php.ini otherwise, my suggestion is
to forward a compiled (coded or something like
that) <SNIP> you should
forward an compiled string that contains some crap like a md5
of the user and pass with some salt and check the string at
each page (its can get hijacked quickly but this is out of discussion).
ME -> That sounds good, but too much effort to rebuild all hrefs. The system
is quite big for that.
sorry for going out of the topic
i wrote that without any attention so im sorry for anything
that will misled you on the wrong direction, hope it helps,
Nitsan
ME-> That was not OT, and quite good to know :)
Thanks,
Thiago
{As of now, I'm only going to top post :)}
On 04/04/2008, Thiago Pojda <[EMAIL PROTECTED]> wrote:
>
> De: Daniel Brown [mailto:[EMAIL PROTECTED]
> Probably because of the fear of session hijacking and spoofing.
> The thing is, a handwritten cookie is just as effective for that, by
> changing the PHPSESSID (or equivalent). In any case, a 32-byte
> hexadecimal hash should be sufficient security for most sessions.
>
> </Daniel P. Brown>
>
>
> Yes, that's what they say.
>
> But anyway, adding that setting did not change a thing and I still
> can't see my sessid anywhere in my code.
>
> What will happen if I do it manually? Add the sessionid in a hidden
> input field in every form (I don't feel like doing it, but if I have
> to...) will do it?
>
> Sorry to be asking too much, but I can't seem to be able to test it
> and the docs are very poor for this.
>
>
> --
> PHP General Mailing List (http://www.php.net/) To unsubscribe, visit:
> http://www.php.net/unsub.php
>
>
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
