Well!  The credit bureau website I maintain.  We don't use cookie because it
doesn't help when the user had it turned off.  We do compile OpenSSL and
Libmcrypt with PHP, so we can check to see if the web browser is 128 bits
and not below that.  The PHP code for that is
"$_SERVER['SSL_CIPHER_USEKEYSIZE']".  We also use the
"$_SERVER['REMOTE_ADDR'] to allow only the credit bureau employee to log in
to the administration website that is if the employee's machine is at the
credit bureau place.  This help with some security but not a full security
because people outside of the credit bureau  can easily change the IP
address on his/her machine or is in a local network behind the the firewall
with make up IP addreses since it won't be used in the internet or real
network.  We also use Session ID to keep track of hte user, so that the user
can be logged of if idle for like 15 minutes and we also use it to prevent
the direct access attempt without logging in.  Etc.  Hope this idea can be
of a help.

"Ed Lazor" <[EMAIL PROTECTED]> wrote in message
> I've typically seen the use of a login / cookie in tracking users and
> providing security.
> -----Original Message-----
> Quick Question on Cookies vs. IP Number:
> They appear to be easy to set (well at least in PHP), hence quite
> easily to get around (The user of your Site simply deletes the
> Cookie on his Hard Drive...)  In Konqueror you are actually
> given the option of rejecting cookies...  Using
> getenv($REMOTE_ADDR) to retrieve someones IP number
> isn't too reliable either in the case that someone is using
> Dial Up...  I just want to get ideas from other PHP Coders as
> to how they secure their Sites and actually keep an accurate
> record as to who and how many people visit  your sites..
> coz even a combination of Cookies and IP would be easily
> by-passed...
> Some Ideas if you may folks...
> This message is intended for the sole use of the individual and entity to
> whom it is addressed, and may contain information that is privileged,
> confidential and exempt from disclosure under applicable law.  If you are
> not the intended addressee, nor authorized to receive for the intended
> addressee, you are hereby notified that you may not use, copy, disclose or
> distribute to anyone the message or any information contained in the
> message.  If you have received this message in error, please immediately
> advise the sender by reply email and delete the message.  Thank you very
> much.

PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to