Chris Shiflett wrote:
> How do sessions help against this? Well, they don't solve the problem
> entirely, of course, but the unique ID you pass around won't be the same
> unique ID *every* time that user visits the site. So, you at least have
> a good chance of making the window of time that an imposter has to work
> with very small.
If you want to avoid even this small window, just store on a db file the
session numbers you give away, along with the IP address of the user who
got it. Then when you get a new request for that session check the IP
you are getting it from and you are 100% sure the guy is who he says to be.
There is one side-effect, though. Users on unstable dial-up lines do
lose their sessions when they get disconnected and call again. It may
have an impact on sales.
Alberto
Kiev
--
@-_=}{=_-@-_=}{=_-@-_=}{=_-@-_=}{=_-@-_=}{=_-@-_=}{=_-@-_=}{=_-@
LoRd, CaN yOu HeAr Me, LiKe I'm HeArInG yOu?
lOrD i'M sHiNiNg...
YoU kNoW I AlMoSt LoSt My MiNd, BuT nOw I'm HoMe AnD fReE
tHe TeSt, YeS iT iS
ThE tEsT, yEs It Is
tHe TeSt, YeS iT iS
ThE tEsT, yEs It Is.......
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
