On Monday 11 November 2002 23:56, Charles Wiltgen wrote: > B.C. Lance wrote... > > > one reason that i could think of for not including session id into URL > > and using cookies would be copy & paste. > > > > users could just copy and paste the url and send it to his/her friends. > > and it could be a considerably number of people. imagine couple of people > > clicking on the link. that session will be shared among that no. of > > active people at that particular time. in short, session hijacking will > > occur. > > True, but my understanding is that I can also check this against the user's > IP address -- not perfect given NAT and proxies and all, but at least you'd > limit the damage. I'm sure some of the more experienced people on the list > can suggest additional stuff to check against.
Check out this recent thread: http://marc.theaimsgroup.com/?l=php-general&m=103621442315093&w=2 -- Jason Wong -> Gremlins Associates -> www.gremlins.com.hk Open Source Software Systems Integrators * Web Design & Hosting * Internet & Intranet Applications Development * /* As Will Rogers would have said, "There is no such things as a free variable." */ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
