Re: [Phplib-users] store the IP in the session
Brought to you by:
nhruby,
richardarcher
Menu
▾
▴
Re: [Phplib-users] store the IP in the session
|
From: Giancarlo <gia...@na...> - 2002-12-04 15:09:19
|
Rob Hutton wrote: > Actually it is not implemented in most circumstances and does not address > NAT at all, which is a major issue. True. It just can cover a bit more cases that the REMOTE_ADDR Anyway, seen that Kristian is around, I wanted to elaboarte that One_time_password idea. This is a URL only system. The url is something like ?PHPSESSID=11111-aaaaa where '11111' is our traditional md5 32 byte cookie, that stays constant, while 'aaaaa' is another 32 byte part, that always changes. How is the 'aaaa' part taken? On session startup, a fair number of 32 byte random hashes is generated, and saved in the session. The url-rewriting function ($sess->url() ?) appends to each hyperlink one different hash, taken from the session array whith these pregenerated ones, and flags it as 'shown'. Upon requesting one of these links, the session fuunction checks that the 'aaaa' part is among the ones flagged as shown. If it is, it flags it as 'used', otherwise no way. No cookie, only GET, and no possibility to guess or steal the second half. A lot of CPU on 'refilling' the array once exhausted, though. How does it sound? Gian |
