That is why I suggested passing all that over SSL which would make it very difficult to get the data even if you were able to get the packets. If you are operating with data that you care about you probably need SSL. There is not much point in creating some type of applet combination that your user's client will need to support when you can use SSL which is widely supported already.
Jason On Wed, 2003-02-26 at 23:44, Dennis Gearon wrote: > Unless of course, you are listening into the network connection :-) > > Jason Sheets wrote: > > > > Not that I am aware of, it seems you would be better off using SSL, if > > you are concerned about someone hijacking the sessions you could > > generate your own session id (I generate random 80 character session ids > > instead of 32) and also limit the life of the session, you could write > > logic to change the session ID every n minutes which would make brute > > forcing the session id even harder. > > > > Jason > > On Wed, 2003-02-26 at 11:34, Dennis Gearon wrote: > > > Is there anyway for a page to save information on a user's computer which is > > > accessible via java or > > > javascript, but doesn't get sent with each HTML request the way a cookie is? > > > > > > I had this idea, patterned after kerberos: > > > > > > 1/ A user logs into a site via a secure link. > > > 2/ A hash salt is stored on their computer and an > > > initial hash is generated for the user as a Password > > > to their session key. > > > 3/ The user is redirected to the non secure part of the site > > > and they have both the hash-pw plus session key in their document. > > > 4/ Each time they access a page on our site, a javascript fires > > > which generates the next sequence in the hash-pw. > > > 5/ the server also generates the same new sequence and compares > > > it. If the session key and the new password agree, then > > > it is the user attached to the session. > > > > > > So, this salt needs to NOT be transmitted via the cookie so > > > that it does not appear 'in the clear', which would invalidate > > > it's use. > > > > > > Please CC me when you reply to the list, I am on digest. > > > > > > > > > > > > -- > > > PHP General Mailing List (http://www.php.net/) > > > To unsubscribe, visit: http://www.php.net/unsub.php > > -- > > Carpe Dancem ;-) > ----------------------------------------------------------------- > Remember your friends while they are alive > ----------------------------------------------------------------- > Sincerely, Dennis Gearon > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
