Rasmus, et.al.,

OK, I'm still confused. What does SSL have to do with any of this?

If I'm running a site using SSL, all that does is encrypt the 
transmitted info right?  It doesn't have anything to do directly with 
the sessions though?

The problem I'm wrestling with is:

Person A logs in to my SSL website and provides a username/password 
which I verify. I then start a session for them. I have a ten minute 
timeout period which gets reset with every page they visit during 
this session.

I pass the session id using either a cookie that expires at the end 
of the session or a URL. Using the cookie seems quite secure. Using 
the session ID as part of the URL seems less secure because...

If person B happens to look over person A's shoulder and records the 
URL (it is long and "obscure" with the session id but for sake of 
argument) and then goes and visits the same web site he's in right? 
And using SSL doesn't affect this at all unless I'm totally confused 
(quite possible).  If A and B are both behind the same firewall their 
IPs might not be distinguishable. The HTTP_REFERER stuff doesn't do 
anything for me because they are already within my site?

Is this just an insoluble problem using the URL approach and the only 
thing to do is require cookies be enabled?


  Bill Rausch, Software Development, Unix, Mac, Windows
  Numerical Applications, Inc.  509-943-0861   [EMAIL PROTECTED]

PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]

Reply via email to