If there are two people behind a NAT, then the site would check for a session ID and the IP. If a session ID is introduced AND their IP matches the session, they are allowed to proceed. This would prevent people from moving a session ID to another machine. If two people are behind a NAT and share a session ID, I don't think there is a way of preventing them to be assumed as the same person. So basically, it will try to use cookies alongside a matching IP, and if cookies are disabled, it will use the GET method alongside a matching IP. It just makes a double check of the user...half the risk of transferring session ID's among people...but still not fullproof...but I don't think there is a fullproof way.
"Dl Neil" <[EMAIL PROTECTED]> wrote in message news:<0ad801c1a4ba$3d49bec0$7215100a@jrbrown>... > Entering the conversation late... > > 1 IP addresses > Remember these are not necessarily 'unique'. If two of us here log in, > won't we appear (to you) have the same IP address if we're 'hiding' > behind a NAT (Network Address Translation) box? Also dial-up users > share a pool of IP addresses which are reallocated between customers > as they disconnect/reconnect. > > 2 Cookies > I think someone has already made points against their use. Many > corporates set up/require that browsers are configured to reject all > cookies (plays havoc with many shopping and banking sites). Obviously > there is popular advice that cookies are 'not good', because I've had > a number of friends and clients tell me that they regularly clear out > their 'cookie jar' - and need help when they get over enthusiastic and > clear more than they should... > > There's a balance between easing life for those who are 'in', and > turning off those trying to arrive. The trick is finding it! =dn > > > ----- Original Message ----- > From: "SpamSucks86" <[EMAIL PROTECTED]> > To: "'PHP-General'" <[EMAIL PROTECTED]> > Sent: 23 January 2002 23:46 > Subject: RE: [PHP] Need opinion On sessions - Cookies mandatory? > > > > The idea of building a website is largely to accommodate as large a > > portion of your visitors as possible. I'm not worried about people > > bookmarking sessionID's, but what if someone copy/pastes the URL to > > a friend and they use the section. My friend gave me an excellent > > idea, and that is to check their IP and store the IP in the session. > > If the IP doesn't match, then start a new session. This would be > > perfect, because there's a double check. If someone disconnects to > > the internet but never closes their browser, I don't think they > > should be allowed to continue their session anyway, they should be > > required to login again. > > > > -----Original Message----- > > From: Nick Wilson [mailto:[EMAIL PROTECTED]] > > Sent: Wednesday, January 23, 2002 3:35 AM > > To: [EMAIL PROTECTED] > > Subject: Re: [PHP] Need opinion On sessions - Cookies mandatory? > > > > -----BEGIN PGP SIGNED MESSAGE----- > > Hash: SHA1 > > > > > > * and then Jason G. blurted.... > > > If cookies do not work, then you must have a session_id appended > > > to > > the > > > URL. HTTP is a "stateless" protocol. So every time you make a > > request via > > > HTTP, you must let PHP know what the session_id is either through > > cookies, > > > or url query strings (or possibly posted with a form). > > > > Yep, now I'm with you. The amount of times you'd see that kind of > > ugly URL would be fairly minimal in most situations as most users > > these days aren't even aware they *can* disable cookies. > > > > > > > >> disable cookies, but appending the session ID could be a > > > >> security > > risk. > > > >> Consider this: Someone is viewing a page and says "oh cool, I > > > >> want > > Joe > > > >> to see this". He then copy/pastes the URL, sessionID and all, > > > >> to > > Joe, > > > >> who then loads up the page using his friend's SessionID. With > > cookies, > > > >> this would not happen. > > > > > > > >Not a problem. The session is *destroyed* as soon as a user > > > >closes > > the > > > >browser. > > > > > > A session will only be *destroyed* if it uses a cookie. PHP never > > knows > > > when you close the browser, but the browser will remove the > > > cookie. > > Next > > > time you fire up the browser, it will not send the cookie, and a > > different > > > session will be started. > > > > Sure. But there is some kind of clean on the host machine right? You > > couldn't expect to continue a session a week later because you've > > bookmarked a URL containind a SID. I think this is controlled by > > something like a timeout var in the php.ini. > > > > > In my personal experience, using cookies only has not proven to be > > > a problem. Your call. > > > > When you say using cookies only do you mean 'requiring' the user to > > have cookies enabled? > > > > - -- > > > > Nick Wilson > > > > Tel: +45 3325 0688 > > Fax: +45 3325 0677 > > Web: www.explodingnet.com > > > > > > > > -----BEGIN PGP SIGNATURE----- > > Version: GnuPG v1.0.6 (GNU/Linux) > > > > iD8DBQE8TnW3HpvrrTa6L5oRAthOAJ0WOpUWC5fFMokhYF2QsaQaQolp+wCfQWHL > > 03BrqRN2kLf+VWC/tzDSHho= > > =Gek0 > > -----END PGP SIGNATURE----- > > > > > > -- > > PHP General Mailing List (http://www.php.net/) > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > For additional commands, e-mail: [EMAIL PROTECTED] To > > contact the list administrators, e-mail: > > [EMAIL PROTECTED] > > > > > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]