On Saturday 07 June 2003 17:12, Bix wrote:
> The best way to avoid SID "Hijacks" is to assign an IP variable, and an
> expiration
Never rely on an IP address to be unique to a particular browser/user. For
reasons why search archives.
--
Jason Wong -> Gremlins Associates -> www.gremlins.biz
On Sat, 7 Jun 2003, Bix wrote:
> Monty,
>
> The best way to avoid SID "Hijacks" is to assign an IP variable, and an
> expiration
>
> session_register("USERIP");
> $_SESSION['USERIP'] = $_SERVER['REMOTE_ADDR'];
> session_register("EXPIRES");
> $_SESSION['expires'] = time() + 900; // 900 secon
Monty,
The best way to avoid SID "Hijacks" is to assign an IP variable, and an
expiration
session_register("USERIP");
$_SESSION['USERIP'] = $_SERVER['REMOTE_ADDR'];
session_register("EXPIRES");
$_SESSION['expires'] = time() + 900; // 900 seconds (15 mins)
and then the session has the users I
> > both the cookie and URL based session passed over without SSL is
> insecure.
> > i'd love to know who told you otherwise.
>
> I can't remember the exact sites now, but, the issue was about how
much
> easier it is to spoof Sessions when IDs are passed via the URL as
opposed
> to
> being stored
I don't have a study in front of me, but I'm fairly sure that cookies
are much more likely to be enabled than javascript. I reccomend opening
a normal popup using a link with a target, and opening a sized popup and
returning false with javascript in an onclick property. Something like:
Open po
> both the cookie and URL based session passed over without SSL is insecure.
> i'd love to know who told you otherwise.
I can't remember the exact sites now, but, the issue was about how much
easier it is to spoof Sessions when IDs are passed via the URL as opposed to
being stored in a cookie.
>
on 05/06/03 8:05 AM, Monty ([EMAIL PROTECTED]) wrote:
> Hi Justin,
>
> I hear what you're saying about refusing people without cookies turned off,
> and I really tried to make it work on my site, but, keep running into lots
> of problems. I do have enable-trans-sid turned on, but, get inconsisten
IL PROTECTED]>
> Subject: Re: [PHP] Gracefully dealing with Cookies OFF
>
> Why on earth would you refuse users without cookies?? Take a look at all
> the major websites (amazon & msn for starters).
>
> Do they require cookies? No.
> Do they require JavaScript? No
ECTED]
Subject: [PHP] Gracefully dealing with Cookies OFF
I've decided to require that members for a site need to have cookies enabled
in their browsers to sign-up and use the site. Is there a graceful way to
deal with this when users who have cookies off try to sign-up or log-in to
the sit
On Wed, 04 Jun 2003 03:08:00 -0400, Monty wrote:
>I've decided to require that members for a site need to have cookies enabled
>in their browsers to sign-up and use the site. Is there a graceful way to
>deal with this when users who have cookies off try to sign-up or log-in to
>the site?
You can
Why on earth would you refuse users without cookies?? Take a look at all
the major websites (amazon & msn for starters).
Do they require cookies? No.
Do they require JavaScript? No.
Do they require anything else special on the site? No.
They take advantage of technology where available (DHTML
I've decided to require that members for a site need to have cookies enabled
in their browsers to sign-up and use the site. Is there a graceful way to
deal with this when users who have cookies off try to sign-up or log-in to
the site?
Thanks,
Monty
--
PHP General Mailing List (http://www.php
12 matches
Mail list logo
