Re: [Phplib-users] cookie stealing
Brought to you by:
nhruby,
richardarcher
Menu
▾
▴
Re: [Phplib-users] cookie stealing
|
From: Kevin F. <fre...@ip...> - 2001-11-01 23:32:58
|
I have tried to add this type of functionality to the authentication = process but with little success. If the user used AOL, CompuServe, etc. = one of the ISP that use proxy pre or post fetch caches, after authenticatio= n, the caching servers would try to access the site and collect data using = the cookie. This step would return a cookie from the wrong IP address and = invalidate the session One workaround was to tell the user to start IE or Netscape after logging = into the ISP so the caching/proxy system would not start. There is a whole = list of sites in Google (mostly university sites) that walk the user = through connection to the ISP and then starting IE/Netscape to fix this = type of problem. The final solution that I came up with was using an external system for = authentication over an https connection and "secure cookies". This would = then create another session object inside the data store and pass it back = to the user as session_id. All user validation would take place over https = and regular traffic over http. Most systems do not proxy the secure data = and thus allowed us to make sure the cookie is not stolen or moved by = using the IP address to revalidate the authentication session. In = addition, using SSL session caching and http connections when security = could be trusted we avoided the performance hit of using only an https = connection for each page transaction. Kevin Fredrick Software Technician Walter E. Helmke Library Indiana University - Purdue University Fort Wayne 219-481-5445 http://www.lib.ipfw.edu/ >>> "order through chaos" <ke...@go...> 11/01/01 05:53PM >>> hi! did anyone code something that checks other infos beside cookies to check session validity? (like az ip, and an md5 of some client info for eg.) coz anyone stealing the cookie could be logged in, so it's no matter if = you send the password in md5 or not.. :P anyone? keo -- don't believe everything you think. _______________________________________________ Phplib-users mailing list Php...@li...=20 https://lists.sourceforge.net/lists/listinfo/phplib-users |
