> Very good: keep the thing on a secure connection all the time, set a
> session id cookie and keep all user info (possibly including remote ip)
> in the server's session db... (vulnerable to nothing I can think
> of at the moment...)
>
> There are probably more things you could do I haven't thought
> of... but this oughta be a decent start ;)
Suggestion, don't send session IDs as cookies, since they may be
sequential and guessable. Instead, grab an MD5 of the session ID, the
remote IP address, and the current time. Throw as much entropy in there
as you can, send the MD5 sum as the cookie value, and store it in
the session table in the database.
Jason
--
Jason Murray
[EMAIL PROTECTED]
Web Design Team, Melbourne IT
Fetch the comfy chair!
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
