>Poor security: log in with a form or basic authentication; set cookie on
>client with username/password combo (vulnerable to network sniffers,
>anybody with access to browser's cookie file)
>Decent security: log in with form or basic authentication; set cookie with
>session id number and store user information in session database (or
>session file or in session memory or however your sessions are handled...)
>(vulnerable to sniffers)
>Good security: perform auth over a secure connection, set cookie with
>session id number and store user information (including ip address) in
>session database (and check ip address for a match before allowing any
>activity with the session)... (vulnerable to somebody copying a sniffed
>session id and spoofing the ip address to trick the remote site)
>Very good: keep the thing on a secure connection all the time, set a
>session id cookie and keep all user info (possibly including remote ip) in
>the server's session db... (vulnerable to nothing I can think of at the
>moment...)
>
>There are probably more things you could do I haven't thought of... but
>this oughta be a decent start ;)
>
>--Toby

Wow, I never thought of using the remote IP!  Thanks for the tip. I 
am going to use it today for an authentication system I'm building.

Kristofer
-- 
______________________________________

Kristofer Widholm
Web Pharmacy
[EMAIL PROTECTED]
191 Grand Street, Brooklyn  NY  11211
718.599.4893
______________________________________

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]

Reply via email to