RE: [Phplib-users] store the IP in the session
Brought to you by:
nhruby,
richardarcher
Menu
▾
▴
RE: [Phplib-users] store the IP in the session
|
From: Rob H. <rob...@ws...> - 2002-12-05 14:57:17
|
> -----Original Message-----
> From: php...@li...
> [mailto:php...@li...]On Behalf Of Giancarlo
> Sent: Thursday, December 05, 2002 6:49 AM
> To: phplib-users
> Subject: Re: [Phplib-users] store the IP in the session
>
>
> Kristian Koehntopp wrote:
> > Somebody who does not use session cookies, but forces us to use
> > GET parameters does not want to be secure, either. Again, we can
> > code around that, but it is useless and bloats our code.
> >
>
> Yes, but also we should explain very clearly, to ourselves first, that
> using session cookies too, is prone to being forced into using GET... as
> I am not sure yet there is a strong technical explaination.
> So I'd add a $sticky_mode session variable to prevent ar allow
> mode shifts.
>
That's a question of configuration. If you don't want it to fallback to
get, then don't enable that. I think it should be defined clearer,
something like $mode = array("cookie", "get", "post") (vs. the current
$fallback_mode) because this would allow new modes to be added and a
preference list built ($mode = array("cert", "cookie")) where cert is an
extension of cookie that handles pki authentication. But you can already
prevent mode shifts.
Secondly, if this is going into the current snapshot auth, Joe and I have
some very real problems with the unstructured approach. These need to be
addressed before further work is done. I will post the one I modified to
the patches area today.
Rob Hutton
Web Safe
www.wsafe.com
**********************************************************************
Introducing Symantec Client Security - Integrated Anti-Virus,
Firewall, and Intrusion Detection for the Client.
Learn more:
http://enterprisesecurity.symantec.com/symes238.cfm?JID=2&PID=11624271
|
