Re: Rp.: Re: [Phplib-users] Sessions where are we going??
Brought to you by:
nhruby,
richardarcher
Menu
▾
▴
Re: Rp.: Re: [Phplib-users] Sessions where are we going??
|
From: Donncha O C. <don...@tr...> - 2002-07-02 17:15:15
|
What I'm proposing is a little different to what you described below. I=20 implemented something similar to protect an app. The secret key was=20 associated with the username.=20 With my proposal I'm associating the key with the session, therefore=20 protecting the session, not the username so that the same username could = be=20 used multiple times, but the one session couldn't be hijacked by a 3rd pa= rty. Donncha. On Tuesday 02 July 2002 17:54, Mike Green wrote: > Donncha O Caoimh wrote: > > I think it's probably an idea worth looking at, does anyone else > > agree/disagree/care? > > In my case (and it is possible that I represent many more than just > myself), I do care. I have been saving all of the emails in this thread > with the intention of taking some time to digest the thoughts being > expressed. But we know where the road paved with good intentions goes ;= -) > -- and I so far have not taken that time. So I cannot argue any of the > points with conviction. > > I will remark that, if in my quick scanning of your email on the topic = I > understood at all what you were proposing, I believe the idea of a cook= ie > with some very random number as the key should work. I worked on a syst= em a > while back which was set up (by someone else) with a similar -- if not = the > same -- scheme. One of the results was that if one opened another brows= er > and logged into the site one was automatically logged out (i.e. the > "session" was lost) of the site on the original browser. They were, > however, not using PHP sessions, but a completely home-grown substitute= for > PHP sessions. Probably not nearly as efficient, but it did have the > advantage that they understood (I think) there own system and (perhaps)= no > one else did... |
