Re: [Phplib-users] store the IP in the session
Brought to you by:
nhruby,
richardarcher
Menu
▾
▴
Re: [Phplib-users] store the IP in the session
|
From: Kristian K. <kr...@ko...> - 2002-12-05 09:08:40
|
On Wed, Dec 04, 2002 at 07:33:44PM +0100, Giancarlo wrote: > Giancarlo wrote: > >Excuse me, but if I propose you to click on a link as > >https://phplib.sourceforge.net/showoff.php3?PHPSESSID=1 > ^^^^^^^ > Notice that is using SSl. > > So the idea to mark the session somehow, to prevent opening starting > user-chosen, unexistent id, is good. > The ide of the IP i'd let implement to those who want. Somebody who does not use SSL does not want to be secure. You could code around that, but you would end up reimplementing SSL at the user level, which is silly. Somebody who does not use session cookies, but forces us to use GET parameters does not want to be secure, either. Again, we can code around that, but it is useless and bloats our code. If you want to implement a secure site, offer SSL and cookie mode. If your users do come in not using SSL, offer them a link to your SSL site. If your users do come in not using cookies, offer them a link to a page that explains why this is a bad thing to do and how they can change that. Also install a proper P3P policy. If they choose not to use the help you offer, it is their risk, they take it against our recommendation and their better knowledge, and we cannot help them. We really should not bloat our code for them. Kristian |
