On Mon, Jun 24, 2002 at 10:03:09AM -0600, [EMAIL PROTECTED] wrote: >Niko, > If you don't want to compromise security then use .htaccess instead. Then base >your session >file off of the $ENV{'REMOTE_USER'}. Now of coarse this is assuming you are using >Apache. Then yes >you do need to check every time. > With just a session id, how easy it would be for somebody to try session id's >until they find >one still open. Or write down the session id off of somebody else's computer as they >step away for >a moment. Basically, do you want it the most secure you can have it or are you ok >with security >through obscurity?
i don't need the most secure one and the session id is already enough for us. I'll try to use the .htaccess for more crucial information. > By the way, if you plan to stick with the session file, I hope its a file on your >server, not a >cookie on their machine. How easy it would be to change the username in their cookie >and then have >access to somebody else's stuff. Though if you stick with the session solution, a >cookie would be >an appropriate place to put the session id. I'm using CGI::Session and storing the session id using cookie. The session id itself is kept in mysql database. I guess this solution should be adequate for my needs. And i juz realized the answer of my question in my the CGI::Session manual. I still have to check the account/ password against the database as this module will generate new id if the given id is not exist. So i can't based my authentication with the existence of session id only. Thx for the explanation :) Regards, Niko -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]