On Mon, Jun 24, 2002 at 10:03:09AM -0600, [EMAIL PROTECTED] wrote:
>Niko,
>    If you don't want to compromise security then use .htaccess instead.  Then base 
>your session
>file off of the $ENV{'REMOTE_USER'}.  Now of coarse this is assuming you are using 
>Apache.  Then yes
>you do need to check every time.
>    With just a session id, how easy it would be for somebody to try session id's 
>until they find
>one still open.  Or write down the session id off of somebody else's computer as they 
>step away for
>a moment.  Basically, do you want it the most secure you can have it or are you ok 
>with security
>through obscurity?

i don't need the most secure one and the session id is already enough
for us. I'll try to use the .htaccess for more crucial information.

>    By the way, if you plan to stick with the session file, I hope its a file on your 
>server, not a
>cookie on their machine.  How easy it would be to change the username in their cookie 
>and then have
>access to somebody else's stuff.  Though if you stick with the session solution, a 
>cookie would be
>an appropriate place to put the session id.

I'm using CGI::Session and storing the session id using cookie. The
session id itself is kept in mysql database.
I guess this solution should be adequate for my needs. And i juz
realized the answer of my question in my the CGI::Session manual.

I still have to check the account/ password against the database as this
module will generate new id if the given id is not exist. So i can't
based my authentication with the existence of session id only.

Thx for the explanation :)

Regards,
Niko

-- 
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Reply via email to