Reply to Re: [PHP] Re: Security Issues - Where to look?

Your name:

Reply:


Posted by GamblerZG on 11/10/05 23:08

Chris Shiflett wrote:
> GamblerZG wrote:
>> I think it's still reasonable to restrict a session to a single IP.
> No, it's not, for all of the reasons Richard mentioned and more.

I agree that using only IP to identify session is bad.
Using only SID is ok.
Using SIDs that are tied to a single IP is even _more secure_, since the
possible attacker would need to have exactly the same IP as a victim of
session hijacking. This comes at a price of a small inconvinience for
dial-up users (since they would need to login on each reconnect), but I
think such price it reasonable.

IMO, the best way is to re-generate SIDs on each request, but such
method will decrease perfomance of a script.

[Back to original message]


Удаленная работа для программистов  •  Как заработать на Google AdSense  •  England, UK  •  статьи на английском  •  PHP MySQL CMS Apache Oscommerce  •  Online Business Knowledge Base  •  DVD MP3 AVI MP4 players codecs conversion help
Home  •  Search  •  Site Map  •  Set as Homepage  •  Add to Favourites

Copyright © 2005-2006 Powered by Custom PHP Programming

Сайт изготовлен в Студии Валентина Петручека
изготовление и поддержка веб-сайтов, разработка программного обеспечения, поисковая оптимизация