> both the cookie and URL based session passed over without SSL is insecure. > i'd love to know who told you otherwise.
I can't remember the exact sites now, but, the issue was about how much easier it is to spoof Sessions when IDs are passed via the URL as opposed to being stored in a cookie. > perhaps now is the time to re-think all this stuff, decide if you are going > to support everyone (which i would for any paying client with a wide target > market), or skip over those who don't meet your definition of a web visitor. After your indepth response, I've re-thought my re-thinking and have gone back to wanting to support all users whether or not they have cookies turned on. And, miraculously, I've already got it working, so, thanks for your detailed reply. But going back to the first point, if I'm passing Session IDs via the URL, shouldn't I be doing something more to make the site a little more secure? I don't store sensitive data in sessions vars, but, if it allows a non-paying member to hijack a paying member's session, then this is going to be a problem. But I'm not sure what more I can do to make the session a little more secure and less likely that someone will hijack it. SSL is a little overkill for this, as this isn't a bank or financial institution, it's just a little community website. The log-in for the site is fairly simple: After verifying the username and password against what's stored in the DB, it sets up a few session vars with that member's access level and a few other preferences. This is so I don't have to continually query the DB for this info on every page. Is there anything more I can do to make it harder to spoof sessions? > just to throw another spanner into it all, what happens if I have JS off? > will I still be able to access the content of the pop-ups? i bet not :) Well, I have to draw the line somewhere. Javascript is used throughout this site for simple things like resizable popups. I'm not willing to dumb it down that much. Thanks! Monty -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
