--- j kensler <[EMAIL PROTECTED]> wrote: > The first thing to do is to set your scripts to not allow session > handling to be carried out through the URL if a person's browser > won't accept cookies. It would be way too easy to change the ID.
While true, it is only barely more convenient to change the session identifier on the URL. I wouldn't rely on this recommendation for any type of security - anything from the client can be spoofed, and there are tools that let people easily manage their cookies. > And also if the id numbers are sequential My advice is to not generate your own session identifiers. It is highly unlikely that you know more about entropy than those who developed the algorithm used to generate a session identifier in PHP's native implementation. If you are an expert on such things and think you can make some improvements to the entropy, please contribute your implementation back to PHP. :-) > you might also want to have a second, random identifier that is also > a session variable. This is a good suggestion. It's basically to generate a random string of some sort (I usually call this thing a token, but you can call it whatever). What you want to do is propagate this using a different method than the session identifier is propagated (when possible - if the user disables support for cookies, then you have no choice in the matter). For example, propagate the session identifier in a cookie and the token on the URL. Why different methods? If the session identifier is compromised, then it is possible that the method used to compromise it can compromise the token as well (if the same method is used). Hope that helps. Chris ===== Chris Shiflett - http://shiflett.org/ PHP Security - O'Reilly HTTP Developer's Handbook - Sams Coming December 2004 http://httphandbook.org/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
