|
|
Posted by larry on 12/29/06 23:07
On Dec 29, 6:26 am, Vincent Delporte <just...@acme.com> wrote:
> On 28 Dec 2006 12:06:53 -0800, "Anthony Smith" <mrsmi...@hotmail.com>
> wrote:
>
> >there a best practice for this. Currently what I do is have each page
> >include a check session include file. From what I read, this is how it should be done. Put the check in a
> file, and include it first thing in all the pages.
And to take it to the next step you include thier remode address as
part of thier session check (md5 with ip and user name or something to
mix it up) so if someone were to intercept your session and try to take
over, the change in client IP (during the session) would void the
access.
And other thing would be to put a time limit to the current session
access ( a session var with expiration time) so if some badguy got in
from a user abandoning a terminal with a live connection it would time
out regardless. (or/also maybe have a re-verification for
sensitive/delete/admin parts just to make sure) Just depends on how
paranoid you want to be.
Navigation:
[Reply to this message]
|