Does it change the IP address while the user is connected? I didn't think that was possible... I only use sessions to store username/password and other limited variables, it's only if they log off and back in again that's they have to log out, and separate cookies automatically handle the login there- so it's pretty seamless.
Anyone know about server farms? I vaguely remember reading that you should only use the first three portions of an IP address (e.g. 123.12.123) to be sufficient for a server farm. "Dave At Sinewaves.Net" <[EMAIL PROTECTED]> wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > You're going to be shutting out a lot of AOL users (bah! who needs em! ;p) > if you do that, as AOL changes a user's IP address about as often as you > read the word "the"... > > Dave > > > -----Original Message----- > From: M1tch [mailto:[EMAIL PROTECTED]] > Sent: Saturday, September 07, 2002 12:05 PM > To: [EMAIL PROTECTED] > Subject: [PHP] Re: Proposal for securing PHP sessions > > > Why not just use IP? > I created a nice system, whereby if your IP is changed (or someone is > hacking your session), the session is destroyed, and the user must log in. > Does not add much overhead either. > > Also, I built it using database (using my own session functions in > savehandler), that stores the ip as well. > This prevents people snooping. > > Still not 100% secure I imagine, but much better. > > Andy > > "Mar Tin" <[EMAIL PROTECTED]> wrote in message > [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > > > > Dear all: > > > > Until I read the article "PHP Session security" > > (http://www.webkreator.com/php/configuration/php-session-security.html) > > I haven't noticed how insecure PHP Sessions are. > > > > > > > > Basically there're 2 problems: > > > > *) It's possible to hijack a session if you know the > > SID (session id) > > > > 1) If you're on a shared server (cheap webhosting) > > other users can get the SIDs by doing "ls /tmp/sess_*" > > (/tmp/ is defined on session.save_path on the config > > file, so it may be different). > > > > 2) When a user clicks on an external link, the > > browser sends the REFERER url and sometimes it > > contains the SID (if session.use_trans_sid is enabled) > > > > PHP offers a security measure: with > > session.referer_check it will reject SIDs comming from > > other referers, but the referer url can be easily > > forged. > > > > *) Users can read session data from the session files, > > which are owned by the server process (every user > > which has an account on the webserver can read server > > owned files) > > > > (If you're intrested in the subject I would recommend > > to read full the article: > > http://www.webkreator.com/php/configuration/php-session-security.html) > > > > I have developed some functions to avoid this > > problems. They replace the standard session functions > > (using session_set_save_handler), so you only have to > > include the file at the beggining of your script and > > (afaik) you're safe :) > > > > This is the idea: > > > > Apart from the session cookie, I set another one (with > > the same name and the string '_sec' appended). On this > > cookie I set a random KEY. > > The name of the file which contains the session data > > is the md5 hash of the SID and the KEY together. This > > turns impossible to guess the session id by looking at > > the filenames. > > > > To hide the data inside the file, the serialized > > string is crypted using the KEY as password, so nobody > > can see the content of your user's sessions. > > > > You can find the code here: > > http://www.n3rds.com.ar/files/docs/php_sessions/sess_handler.txt > > > > Im looking for suggestions to make it 100% compatible > > with the standard session functions, and I would like > > to hear some thougts about the idea > > > > Martin Sarsale > > [EMAIL PROTECTED] > > > > __________________________________________________ > > Do You Yahoo!? > > Yahoo! Finance - Get real-time stock quotes > > http://finance.yahoo.com > > > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
