Re: [Phplib-users] store the IP in the session
Brought to you by:
nhruby,
richardarcher
Menu
▾
▴
Re: [Phplib-users] store the IP in the session
|
From: Giancarlo <gia...@na...> - 2002-12-06 23:07:58
|
> > OK, but if they are smart enough to sniff a cookie off of the wire, then I am always talking about unadvertely clicking on a link like https://www.www/www?PHPSESSID=1 somewhere you click on that link that brings your cookie enabled site where, in case I'll register or login or simple visit, someone can reenter in my place and start from the situation as when I left. > they are smart enough to set one. That's what we are trying to prevent, > correct? The movement from cookie to GET? Both, but most worry is from get to cookie. From less to more trust & persistance. Catching this, supposes first that a cookie header is sent anytime even there is a GET request, and not to interprete the presence of GET sid as 'non availability of cookies'. We have two type of tickens at the cine. One is for a isolated, more aseptic, gallery upstair. The other is for the more promiscuous platea down, all together, where there's a lot of germs and it's easier to catch an influenza ;-) You don't do well to your clients that should be lodged in area A to direct them down in area B. And you don't do well either when you let people coming from area B enter area A. Also the referer_check, in case the sid is in the url, is very useful. A must I think. There is a php.ini directive, session.referer_check = www.www it intervenes only when there is a referer. But we can block when there is no referer Bookmarks have no referer, as links in email messages. GET SIDs without a referer, should be checked. This would block a good deal. I don't like the idea that the session management I implement is so easy to spoof on the massive, by absolutely whoever wants, with just a browser. The link itself becomes a troian. It's message #280 by me on this subject. Dunno why everytime I restart this music, some patch reminded me ;-), I am tired . It's so easier to exploit this by anyone, than to explain it to the experts. I even don't care anymore. Forget this and don't worry. G |
