Entering the conversation late... 1 IP addresses Remember these are not necessarily 'unique'. If two of us here log in, won't we appear (to you) have the same IP address if we're 'hiding' behind a NAT (Network Address Translation) box? Also dial-up users share a pool of IP addresses which are reallocated between customers as they disconnect/reconnect.
2 Cookies I think someone has already made points against their use. Many corporates set up/require that browsers are configured to reject all cookies (plays havoc with many shopping and banking sites). Obviously there is popular advice that cookies are 'not good', because I've had a number of friends and clients tell me that they regularly clear out their 'cookie jar' - and need help when they get over enthusiastic and clear more than they should... There's a balance between easing life for those who are 'in', and turning off those trying to arrive. The trick is finding it! =dn ----- Original Message ----- From: "SpamSucks86" <[EMAIL PROTECTED]> To: "'PHP-General'" <[EMAIL PROTECTED]> Sent: 23 January 2002 23:46 Subject: RE: [PHP] Need opinion On sessions - Cookies mandatory? > The idea of building a website is largely to accommodate as large a > portion of your visitors as possible. I'm not worried about people > bookmarking sessionID's, but what if someone copy/pastes the URL to a > friend and they use the section. My friend gave me an excellent idea, > and that is to check their IP and store the IP in the session. If the IP > doesn't match, then start a new session. This would be perfect, because > there's a double check. If someone disconnects to the internet but never > closes their browser, I don't think they should be allowed to continue > their session anyway, they should be required to login again. > > -----Original Message----- > From: Nick Wilson [mailto:[EMAIL PROTECTED]] > Sent: Wednesday, January 23, 2002 3:35 AM > To: [EMAIL PROTECTED] > Subject: Re: [PHP] Need opinion On sessions - Cookies mandatory? > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > > * and then Jason G. blurted.... > > If cookies do not work, then you must have a session_id appended to > the > > URL. HTTP is a "stateless" protocol. So every time you make a > request via > > HTTP, you must let PHP know what the session_id is either through > cookies, > > or url query strings (or possibly posted with a form). > > Yep, now I'm with you. The amount of times you'd see that kind of ugly > URL would be fairly minimal in most situations as most users these days > aren't even aware they *can* disable cookies. > > > > >> disable cookies, but appending the session ID could be a security > risk. > > >> Consider this: Someone is viewing a page and says "oh cool, I want > Joe > > >> to see this". He then copy/pastes the URL, sessionID and all, to > Joe, > > >> who then loads up the page using his friend's SessionID. With > cookies, > > >> this would not happen. > > > > > >Not a problem. The session is *destroyed* as soon as a user closes > the > > >browser. > > > > A session will only be *destroyed* if it uses a cookie. PHP never > knows > > when you close the browser, but the browser will remove the cookie. > Next > > time you fire up the browser, it will not send the cookie, and a > different > > session will be started. > > Sure. But there is some kind of clean on the host machine right? You > couldn't expect to continue a session a week later because you've > bookmarked a URL containind a SID. > I think this is controlled by something like a timeout var in the > php.ini. > > > In my personal experience, using cookies only has not proven to be a > > problem. Your call. > > When you say using cookies only do you mean 'requiring' the user to have > cookies enabled? > > - -- > > Nick Wilson > > Tel: +45 3325 0688 > Fax: +45 3325 0677 > Web: www.explodingnet.com > > > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.0.6 (GNU/Linux) > > iD8DBQE8TnW3HpvrrTa6L5oRAthOAJ0WOpUWC5fFMokhYF2QsaQaQolp+wCfQWHL > 03BrqRN2kLf+VWC/tzDSHho= > =Gek0 > -----END PGP SIGNATURE----- > > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > To contact the list administrators, e-mail: [EMAIL PROTECTED] > > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]