On Mon, Jun 24, 2002 at 10:03:09AM -0600, [EMAIL PROTECTED] wrote:
>Niko,
> If you don't want to compromise security then use .htaccess instead. Then base
>your session
>file off of the $ENV{'REMOTE_USER'}. Now of coarse this is assuming you are using
>Apache. Then yes
>you do need to check every time.
> With just a session id, how easy it would be for somebody to try session id's
>until they find
>one still open. Or write down the session id off of somebody else's computer as they
>step away for
>a moment. Basically, do you want it the most secure you can have it or are you ok
>with security
>through obscurity?
i don't need the most secure one and the session id is already enough
for us. I'll try to use the .htaccess for more crucial information.
> By the way, if you plan to stick with the session file, I hope its a file on your
>server, not a
>cookie on their machine. How easy it would be to change the username in their cookie
>and then have
>access to somebody else's stuff. Though if you stick with the session solution, a
>cookie would be
>an appropriate place to put the session id.
I'm using CGI::Session and storing the session id using cookie. The
session id itself is kept in mysql database.
I guess this solution should be adequate for my needs. And i juz
realized the answer of my question in my the CGI::Session manual.
I still have to check the account/ password against the database as this
module will generate new id if the given id is not exist. So i can't
based my authentication with the existence of session id only.
Thx for the explanation :)
Regards,
Niko
--
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
