Richard Lynch wrote:
On Thu, November 10, 2005 3:29 pm, GamblerZG wrote:
IMO, the best way is to re-generate SIDs on each request, but such
method will decrease perfomance of a script.
But if Cookies are off, you just destroyed their Back button in
their browser, which should be a crime.
Richard Lynch wrote:
IP is useless for identification or authentication of the general
web-surfer:
Users behind firwalls will all appear to be from one (1) IP
AOL users change IPs faster than drummers change underwear
I think it's still reasonable to restrict a session to a single IP.
--
GamblerZG wrote:
I think it's still reasonable to restrict a session to a single IP.
No, it's not, for all of the reasons Richard mentioned and more.
Chris
--
Chris Shiflett
Brain Bulb, The PHP Consultancy
http://brainbulb.com/
--
PHP General Mailing List (http://www.php.net/)
To
On Thu, November 10, 2005 1:08 pm, GamblerZG wrote:
Richard Lynch wrote:
IP is useless for identification or authentication of the general
web-surfer:
Users behind firwalls will all appear to be from one (1) IP
AOL users change IPs faster than drummers change underwear
I think it's
Chris Shiflett wrote:
GamblerZG wrote:
I think it's still reasonable to restrict a session to a single IP.
No, it's not, for all of the reasons Richard mentioned and more.
I agree that using only IP to identify session is bad.
Using only SID is ok.
Using SIDs that are tied to a single IP is
Richard Lynch wrote:
AOL users WILL change their IP in a single [web-surfing] session.
Ugh... I did not know that. That's horrible.
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
On Thu, November 10, 2005 3:08 pm, GamblerZG wrote:
Chris Shiflett wrote:
GamblerZG wrote:
I think it's still reasonable to restrict a session to a single IP.
No, it's not, for all of the reasons Richard mentioned and more.
I agree that using only IP to identify session is bad.
Using only
GamblerZG wrote:
This comes at a price of a small inconvinience for
dial-up users (since they would need to login on each reconnect), but I
think such price it reasonable.
Ok, scrap this statement. I did not know about AOL thing.
But this one still stands:
IMO, the best way is to
GamblerZG wrote:
I think it's still reasonable to restrict a session to a
single IP.
No, it's not, for all of the reasons Richard mentioned and
more.
I agree that using only IP to identify session is bad.
Read more carefully.
Enforcing IP consistency is bad, and many good reasons have
Richard Lynch wrote:
Please pay attention.
Sorry, I did not see your message when I posted that.
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
On Thu, November 10, 2005 3:29 pm, GamblerZG wrote:
IMO, the best way is to re-generate SIDs on each request, but such
method will decrease perfomance of a script.
But if Cookies are off, you just destroyed their Back button in
their browser, which should be a crime.
Re-generate only when
GamblerZG wrote:
Richard Lynch wrote:
Please pay attention.
Sorry, I did not see your message when I posted that.
Oh and would you mind using an email address that exists? Every time I
reply to one of your posts, I get a returned mail from highstream.net
saying your user doesn't
*Distrust everything coming from your users,
even their user agents*
*If you make your scripts taking this into account,
they'll be pretty secure*
Actually, I believe that the one thing you can trust in, is their IP
addresses. Isn't it?
By the way, I liked
Gustavo Narea wrote:
By the way, I liked the link that Pablo suggested:
http://www.devshed.com/c/a/PHP/PHP-Security-Mistakes/
Be careful. There is a lot of misinformation out there regarding PHP
security, and this article is a good example.
Here's something that caught my eye:
The second
for this kind of app...
ps.. this kind of app would not be trivial to create!!!
-bruce
-Original Message-
From: Chris Shiflett [mailto:[EMAIL PROTECTED]
Sent: Tuesday, November 08, 2005 12:08 PM
To: Gustavo Narea
Cc: php-general@lists.php.net
Subject: Re: [PHP] Re: Security Issues - Where
Hello, Chris.
I will take into account what you said.
It is right what you mentioned regarding that example. We have to take
into account that cookies can be stolen.
Thanks for the URLs, I will visit them.
Cheers.
Chris Shiflett wrote:
Gustavo Narea wrote:
By the way, I liked the link
Hello.
I found a document titled A Guide to Building Secure Web Applications
http://www.cgisecurity.com/owasp/html/index.html while I was reading
one of the documents you suggested us, and I would like to know what do
you think about it?
--
Best regards,
Gustavo Narea.
PHP Documentation -
Gustavo Narea wrote:
I found a document titled A Guide to Building Secure Web Applications
http://www.cgisecurity.com/owasp/html/index.html while I was reading
one of the documents you suggested us, and I would like to know what do
you think about it?
The OWASP Guide is good, but that site has
On Tue, November 8, 2005 9:43 am, Gustavo Narea wrote:
*Distrust everything coming from your users,
even their user agents*
*If you make your scripts taking this into account,
they'll be pretty secure*
Actually, I believe that the one thing you can
On Tue, November 8, 2005 2:55 pm, Gustavo Narea wrote:
I found a document titled A Guide to Building Secure Web
Applications
http://www.cgisecurity.com/owasp/html/index.html while I was reading
one of the documents you suggested us, and I would like to know what
do
you think about it?
Seems
Thanks for the explanation, Richard.
I'll definitely take it into account.
So, let's distrust *everything*.
Best regards.
Richard Lynch wrote:
On Tue, November 8, 2005 9:43 am, Gustavo Narea wrote:
*Distrust everything coming from your users,
even their user agents*
Thanks once again, Chris.
I must read that guide.
Have a nice day!
Chris Shiflett wrote:
Gustavo Narea wrote:
I found a document titled A Guide to Building Secure Web Applications
http://www.cgisecurity.com/owasp/html/index.html while I was reading
one of the documents you suggested us, and
22 matches
Mail list logo
