I thought of another thing, it generating some string (using md5) and store it in the session, and put something that is related to this string in another cookie, but the one who stole the session cookie, can also steal this one, it's not hard for him, he can get all the cookies related to my domain and set them on his computer.
So I guess there is no ultimate solution to this problem, for every solution, I got a crack for it, or some problems that limits me from providing my sevice to a lot of other users.
On 2/28/06, Anubis HH <[EMAIL PROTECTED]> wrote:
What you could do is that you could store some sort of
a hash on the server9 e.g. md5.
On login you build this hash, and on every other
request you rebuild that hash and check it with the
original value. The hash could be built from the IP &
user Agent & whatever you have on mind. It would be
very hard for two computers to have all these
identical.
BUT! i recommend againt this, since people using
clustered proxies will not be able to use your
application. Clustered proxies tend to change the IP &
user agent on every request. This means that you
shouldn't even protect the session with an IP address.
Ammar
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
_______________________________________________
Jordan PHP Users Group
http://php.jolug.org/
Php mailing list
[email protected]
http://mail.jolug.org/mailman/listinfo/php_jolug.org
--
Ala'a A. Ibrahim
http://alaa83.blogspot.com/
_______________________________________________ Jordan PHP Users Group http://php.jolug.org/ Php mailing list [email protected] http://mail.jolug.org/mailman/listinfo/php_jolug.org
