Gian,
G> Among the many useful suggestions one can read in the docs, I can't see any that
G> would state how, for a proper auth, and well before SSL, short expire etc.
That is a good point.
G> , only a cookie_only propagation mode
G> (mode=cookie, fallback=cookie) can guarantee the max security available.
And this begin to sound to me like a soap opera. I see this install
just like an option only, not as a must. It does not add substantial
security, while impose tight limits on user behavior. I don't buy this
statement. Only descent usage of your own head can guarantee the max
security available, even with GET fallback mode.
G> I don't know if this info is missing because is too obvious, or because you
G> are not fully convinced of it, or what else.
G> And in fact, by proposing Php4 session (which cannot handle cookie_only mode) for
G> everything, such a setup is even discouraged .
As well as use of PHP4 because of it is buggy, immature, insecure and miss some
features :)
You made your best to convince everybody in this list and somewhere
else. There would be an OPTION in PHP4 soon to enable cookie-only
session installs, and this can be easily incorporated in session class
or whatever as an OPTION too.
Did you benchmark the speed gain of using PHP4 sessions instead of good old
PHPLib's to discourage use of PHP4 sessions? Well, I don't intend to change you
point of view. But I and many others do have our own.
So, don't think we're so stupid. I do understand your considerations,
but I treat them as highly overestimated.
--
Best regards,
Maxim Derkachev mailto:max...@bo...
IT manager,
Symbol-Plus Publishing Ltd.
phone: +7 (812) 324-53-53
www.books.ru, www.symbol.ru
|
