Rasmus, et.al.,
OK, I'm still confused. What does SSL have to do with any of this?
If I'm running a site using SSL, all that does is encrypt the
transmitted info right? It doesn't have anything to do directly with
the sessions though?
The problem I'm wrestling with is:
Person A logs in to
Bill Rausch pressed the little lettered thingies in this order...
Rasmus, et.al.,
OK, I'm still confused. What does SSL have to do with any of this?
SSL makes it impossible (well, improbable anyway) to sniff the session
ID from the network. Without SSL, anyone on the network between the
Sebastian Stadtlich said:
there is an option in php ini :
session.referer_check =
which should fit your needs
not sure how to use it, but probably one of the php-developers on this
list can assist...
I looked at this thing and can't figure out that it does very much.
If someone makes a
I want to use PHP4 sessions for authentication,
Ok, stop right there. Sessions and authentication have nothing to do with
each other. To create a secure authenticated site you should be using
HTTP-based authentication over SSL. Sessions are simply for maintaining
state across http
Hi Rasmus, nice to see you still watching over us on the lists. I feel like
I've been ticked off by my dad though... :)
Rasmus Lerdorf [EMAIL PROTECTED] said:
I want to use PHP4 sessions for authentication,
Ok, stop right there. Sessions and authentication have nothing to do with
each
I wasn't trying to be overly critical, I just worry that new users are
reading these posts and see these insecure solutions to this problem and
don't realize that they are inherently insecure.
What I'm asking is basically What's the best and easiest way to go about
this? I have come up with a
Hi Richard,
Richard Lynch [EMAIL PROTECTED] said:
I want to use PHP4 sessions for authentication, but I'm having difficulty
If it's as important as all that, go with SSL.
Ah, I'll be using SSL for the original authentication anyway. But the users
will be browsing using regular HTTP,
PROTECTED]]
Verzonden:Saturday, June 30, 2001 12:43 AM
Aan: [EMAIL PROTECTED]
Onderwerp:AW: [PHP] Stopping stolen / spoofed / linked sessions
Sebastian Stadtlich said:
there is an option in php ini :
session.referer_check =
which should fit your needs
not sure how
Hi again Rasmus, thanks for your reply.
Rasmus Lerdorf [EMAIL PROTECTED] said:
I wasn't trying to be overly critical, I just worry that new users are
reading these posts and see these insecure solutions to this problem and
don't realize that they are inherently insecure.
I understand
: Wednesday, June 27, 2001 1:39 PM
To: [EMAIL PROTECTED]
Subject: [PHP] Stopping stolen / spoofed / linked sessions
[Please copy replies off-list.]
I want to use PHP4 sessions for authentication, but I'm having difficulty
understanding how to get around users spoofing, stealing or linking
id the
session key can not be spoofed.
Hope this helps,
David Price
-Original Message-
From: adam (dahamsta) [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, June 27, 2001 10:39 AM
To: [EMAIL PROTECTED]
Subject: [PHP] Stopping stolen / spoofed / linked sessions
[Please copy replies off-list
David Price [EMAIL PROTECTED] said:
They way I got around this was to create a session key using a MD5 hash of
the session id and the user's IP address.
SNIP
I know that the IP address can be spoofed, but I'm not sending the session
id in the url, so no one knows what it is and without the
Hi
When you start a session for the first time store remote host info and
validate it on subsequent accesses.
Tom
At 10:48 PM 28/06/01, [EMAIL PROTECTED] wrote:
Hi adam!
On Wed, 27 Jun 2001, adam (dahamsta) wrote:
[Please copy replies off-list.]
I want to use PHP4 sessions for
I want to use PHP4 sessions for authentication,
Ok, stop right there. Sessions and authentication have nothing to do with
each other. To create a secure authenticated site you should be using
HTTP-based authentication over SSL. Sessions are simply for maintaining
state across http requests
: defeats the purpose of PHP sessions. I can check the HTTP_REFERER to see if
: the user came from my own site, but that can be spoofed. I can log and check
: the users IP address, but that can't be relied upon.
:
: Is there any reliable way around this? Am I missing something obvious?
On the
Hi adam!
On Wed, 27 Jun 2001, adam (dahamsta) wrote:
[Please copy replies off-list.]
I want to use PHP4 sessions for authentication, but I'm having difficulty
understanding how to get around users spoofing, stealing or linking sessions.
Here's an example: Alice sends Bob a link from a
[Please copy replies off-list.]
I want to use PHP4 sessions for authentication, but I'm having difficulty
understanding how to get around users spoofing, stealing or linking sessions.
Here's an example: Alice sends Bob a link from a site she's logged into.
Alice has cookies turned off in her
17 matches
Mail list logo
