RE: [Phplib-users] Re: latest snapshot
Brought to you by:
nhruby,
richardarcher
Menu
▾
▴
RE: [Phplib-users] Re: latest snapshot
|
From: Richard A. <rh...@ju...> - 2002-11-07 04:51:56
|
At 23:29 -0500 6/11/02, Rob Hutton wrote: >Interesting idea about changing the session ID. I don't see any kind of >session_replicate and if you change the id manually, you loose everything. >I would think this could get to be a serious amount of overhead on the >server, too. I would not expect any significant additional overhead on the server. You just need to generate a new session ID and change the database query which stores the session so that it updates the session ID when it stores the session variables. I wouldn't think there'd be more than about 10 lines of extra code in PHPLIB. Might be an interesting option to add sometime... have to make it optional via a local.inc switch! >Someone in the manual suggested storing the IP of the remote machine in the >session and refusing to start it if the session request comes from somewhere Yeah, well that's a bogus suggestion because you'll break things for so many people your site will become useless. >> Yup. If you want even a veneer of security, run the session over SSL. > >Except SSL isn't that hard to crack ;-) First time I've heard that... I would have thought cracking SSL connections in anything resembling real time without military-grade hardware would be big news. Got any pointers to how that's done? >> No need to insert a session cookie into the browser's runtime state. >> Quit the browser, add a permanent cookie to your cookie jar with a text >> editor, start the browser, load the URL. There is no inherent >> difference between a permanent cookie and a session cookie except that >> the browser caches them differently. > >So the cookie lifetime should be checked to make sure it is 0. Will add to >my mods to auth. Except you don't get told what the cookie lifetime is. All you get back from the browser is the cookie name and value. ...R. |
