|
|
Posted by Simon Dean on 10/25/22 11:34
John wrote:
> Simon Dean wrote:
>
>> John wrote:
>>
>>> Simon Dean wrote:
>>>
>>>> And while Im at it... should I be using PHP's built in sessions, or
>>>> use my own functions that I've chobbled together from various
>>>> sources and takes advantage of also validating IP Addresses???
>>>
>>>
>>>
>>>
>>>> I don't like to use things just because they're there.
>>>
>>>
>>>
>>>
>>> I know what you mean, but if it's there and it's working well, then
>>> use it.
>>>
>>> PHP sessions do work very well - except for one problem I found.
>>>
>>> MS IE kept using a different session ID for every page it requested !
>>>
>>>
>>> I solved this by creating my own session ID and storing it in a
>>> cookie, so I could get it back and force the same session ID each
>>> time.
>>
>>
>>
>> Hrm... apart from setting a cookie and hoping (since you can't rely on
>> PHP sessions), what you do isn't too different from what I do... I
>> just pass a session id either in a cookie, or on the url, and verify
>> it's still active with the right ip address...
>>
>> which brings me I think onto my next question... another poster said
>> tcpip addresses are unreliable in some circumstances, so what else can
>> you use to verify that someone else hasn't stolen someone elses
>> sessionid and is using that account?
>
>
> A good question - I'm may be getting out of my depth here, but this is
> what I understand:
>
> 1) if you used PHP sessions (and their own ID's) natively, it would take
> care of all that for you, but then you may run into the MS IE problem.
>
> 2) as I set my own session ID, I rely on generating a unique ID through
> mt_rand() and a time() combination. I must admit, I do no more checking
> on it, so it could happen that 2 people get the same ID - I'm just
> relying on it being a very small probability...
>
> I'm going to look into using the original PHP generated session ID, but
> keep it in my own cookie !
>
>
> Are you looking for a VERY secure method for doing something ? If so,
> maybe you should be looking at something else, a secure server page ?
> HTTPS ?
>
> John.
>
Oh no, no, far from it. Just reusing my session id algorithms that I
created for my celebrity website and reuse it for the new work helpdesk
system.
Interesting note about the redundant proxies. That might explain why
I've had a couple of AOL users complaining to me...
Cya
Simon
Navigation:
[Reply to this message]
|