From: Randall R. <ra...@ra...> - 2003-01-04 16:22:11
|
Jer...@fi... wrote: > On Saturday 04 January 2003 04:28, Randall Randall wrote: > > Anyway, session id are usually made by a combined > user-agent/remote_add/agent-langage ..etc some stuff that it > more unique as possible and you just need to check it validation > by marshall all the ENV_VAR pushed by the client. By this way > even a stollen SID make it hard to use. > > I never used the SID of webware, but I think it should use this > mecanism Currently I have an option in my sites to track IP, so if the client wants to be somewhat more secure against session hijacking at the cost of not being able to connect from behind some proxying firewalls, they can do so. -- Randall Randall <ra...@ra...> "[The] poetic justice of cause and effect compels respect, compassion." -- Faithless, God is a DJ. |