On Monday 11 November 2002 23:56, Charles Wiltgen wrote:
> B.C. Lance wrote...
> > one reason that i could think of for not including session id into URL
> > and using cookies would be copy & paste.
> >
> > users could just copy and paste the url and send it to his/her friends.
> > and it could be a considerably number of people. imagine couple of people
> > clicking on the link. that session will be shared among that no. of
> > active people at that particular time. in short, session hijacking will
> > occur.
> True, but my understanding is that I can also check this against the user's
> IP address -- not perfect given NAT and proxies and all, but at least you'd
> limit the damage.  I'm sure some of the more experienced people on the list
> can suggest additional stuff to check against.

Check out this recent thread:


Jason Wong -> Gremlins Associates -> www.gremlins.com.hk
Open Source Software Systems Integrators
* Web Design & Hosting * Internet & Intranet Applications Development *

As Will Rogers would have said, "There is no such things as a free variable."

PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to