Reply to Re: Client-Side Session Data — PHP Programming Language

Posted by Toby Inkster on 12/19/06 12:48

Vincent Delporte wrote:

> So HTTPS should be used when logging on and receiving the session ID
> cookie, but from then, it's OK to use HTTP?

That will stop people stealing users login credentials, yes, *but* it's
still not completely secure, as the session ID could be intercepted and
used by an attacker.

You could make this slightly more secure by associating an IP address with
the session, and ending the session if the user's IP address changes,
though this may make things awkward for customers of certain ISPs such as
AOL that sit their customers behind a large pool of proxy servers.

If you're after the best security, keep using HTTPS for the entire session.

--
Toby A Inkster BSc (Hons) ARCS
Contact Me ~ http://tobyinkster.co.uk/contact

[Back to original message]

Удаленная работа для программистов • Как заработать на Google AdSense • England, UK • статьи на английском • PHP MySQL CMS Apache Oscommerce • Online Business Knowledge Base • DVD MP3 AVI MP4 players codecs conversion help

Home • Search • Site Map • Set as Homepage • Add to Favourites

Сайт изготовлен в Студии Валентина Петручека —
изготовление и поддержка веб-сайтов, разработка программного обеспечения, поисковая оптимизация