On Saturday 30 June 2001 18:17, adam (dahamsta) wrote:
> making it too awkward - in a forms- and sessions- based situation. What
> I have difficulty with is understanding how the thousands of websites I
> mentioned manage it without being overly concerned about security. Or
> is that the problem - they're not concerned enough, and we should all
> be using PKI's? For regular websites though, I think that might be
> overkill, especially when a huge majority of people don't understand
> even the fundamentals of security and encryption. (I tried to explain
> it to my Dad last night, it was painful but productive. :)
Little idea in between - What if you not only give the suer (via cookies
or URL) a (normal, random) session ID but also a (small) random string
that changes on every request (non-predictably)?
That would mean that if someone *did* snoop the transmitted SessionID
stuff, he would have to use it *before* the real user clicks on another
link (because than the ID would be changed again).
Still has some holes, but should catch most attacks.
--
Christian Reiniger
LGDC Webmaster (http://lgdc.sunsite.dk/)
void sleep(){for(long int sheep=0;!asleep();sheep++);}
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
