|
|
Posted by floortje on 10/31/07 21:37
Op 2007-10-31 22:04:09 +0100, zei "Rik Wasmus" <luiheidsgoeroe@hotmail.com>:
> On Wed, 31 Oct 2007 21:56:57 +0100, floortje <none@none.none> wrote:
>
>> Op 2007-10-31 21:30:58 +0100, zei "Sanders Kaufman" <bucky@kaufman.net>:
>>>> of the username, ip and supersecret
>>>> match the hd5hash in the cookie
>>> I use a "loginCookieValue" (UUID) in the users database.
>>> Every page-view gets a new one.
>>> That way - even if a would-be hacker steals a "session" for one page, it
>>> won't be good for the next.
>>
>> Even better offcourse but i'd still check the ip.
>
> Then you'll be quite miserable with for instance AOL users. Sometimes
> those people seem to change IP (during a session I might add) due to
> their proxy network I believe...
AOL Proxy sends X-forwarded-for so there should be little trouble but
your point is still valid. I personally never had any complaints but
that sais little.
Floortje
[Back to original message]
|