>Poor security: log in with a form or basic authentication; set cookie on
>client with username/password combo (vulnerable to network sniffers,
>anybody with access to browser's cookie file)
>Decent security: log in with form or basic authentication; set cookie with
>session id number and store user information in session database (or
>session file or in session memory or however your sessions are handled...)
>(vulnerable to sniffers)
>Good security: perform auth over a secure connection, set cookie with
>session id number and store user information (including ip address) in
>session database (and check ip address for a match before allowing any
>activity with the session)... (vulnerable to somebody copying a sniffed
>session id and spoofing the ip address to trick the remote site)
>Very good: keep the thing on a secure connection all the time, set a
>session id cookie and keep all user info (possibly including remote ip) in
>the server's session db... (vulnerable to nothing I can think of at the
>moment...)
>
>There are probably more things you could do I haven't thought of... but
>this oughta be a decent start ;)
>
>--Toby
Wow, I never thought of using the remote IP! Thanks for the tip. I
am going to use it today for an authentication system I'm building.
Kristofer
--
______________________________________
Kristofer Widholm
Web Pharmacy
[EMAIL PROTECTED]
191 Grand Street, Brooklyn NY 11211
718.599.4893
______________________________________
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
