|
|
Posted by Jerry Stuckle on 12/30/06 01:57
larry@portcommodore.com wrote:
>
> On Dec 29, 6:26 am, Vincent Delporte <just...@acme.com> wrote:
>
>>On 28 Dec 2006 12:06:53 -0800, "Anthony Smith" <mrsmi...@hotmail.com>
>>wrote:
>>
>>
>>>there a best practice for this. Currently what I do is have each page
>>>include a check session include file. From what I read, this is how it should be done. Put the check in a
>>
>>file, and include it first thing in all the pages.
>
>
> And to take it to the next step you include thier remode address as
> part of thier session check (md5 with ip and user name or something to
> mix it up) so if someone were to intercept your session and try to take
> over, the change in client IP (during the session) would void the
> access.
>
VERY BAD IDEA!
First of all, there are providers like AOL who have multiple servers.
Every time a user accesses the page they may come in on a different IP
address.
And many companies have one server for the entire company (or at least a
site). Anyone coming into your site would be coming from the same IP
address. Since the two most likely places to intercept the packets are
on either end of the link and you know your server's end is secure (or
at least hope it is), this provides no protection whatsoever. Worse, it
bugs some users while providing a false sense of security for others.
> And other thing would be to put a time limit to the current session
> access ( a session var with expiration time) so if some badguy got in
> from a user abandoning a terminal with a live connection it would time
> out regardless. (or/also maybe have a re-verification for
> sensitive/delete/admin parts just to make sure) Just depends on how
> paranoid you want to be.
>
This is a good idea. But then if someone stupidly leaves a computer
signed on in a public place, there is a limit to how much you can do
without hassling all of the other users of your site.
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attglobal.net
==================
Navigation:
[Reply to this message]
|