[Please copy replies off-list.]
I want to use PHP4 sessions for authentication, but I'm having difficulty
understanding how to get around users spoofing, stealing or linking sessions.
Here's an example: Alice sends Bob a link from a site she's logged into.
Alice has cookies turned off in her browser, so the session id will be in the
URL she sends Bob. Eve intercepts the message, follows the link and now she
can take over Alice's session, and any data that is associated with that
session. For that matter, Bob can do the same thing.
I can think of lots of ways around this, but most of them are kludges that
don't really cut it. I can store a second authentication value in a cookie,
but that would require cookies, which isn't acceptable. I could propogate a
second authentication variable in the URL, but that's a lot of hassle and
defeats the purpose of PHP sessions. I can check the HTTP_REFERER to see if
the user came from my own site, but that can be spoofed. I can log and check
the users IP address, but that can't be relied upon.
Is there any reliable way around this? Am I missing something obvious?
Cheers,
adam
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
