Rasmus, et.al.,
OK, I'm still confused. What does SSL have to do with any of this?
If I'm running a site using SSL, all that does is encrypt the
transmitted info right? It doesn't have anything to do directly with
the sessions though?
The problem I'm wrestling with is:
Person A logs in to my SSL website and provides a username/password
which I verify. I then start a session for them. I have a ten minute
timeout period which gets reset with every page they visit during
this session.
I pass the session id using either a cookie that expires at the end
of the session or a URL. Using the cookie seems quite secure. Using
the session ID as part of the URL seems less secure because...
If person B happens to look over person A's shoulder and records the
URL (it is long and "obscure" with the session id but for sake of
argument) and then goes and visits the same web site he's in right?
And using SSL doesn't affect this at all unless I'm totally confused
(quite possible). If A and B are both behind the same firewall their
IPs might not be distinguishable. The HTTP_REFERER stuff doesn't do
anything for me because they are already within my site?
Is this just an insoluble problem using the URL approach and the only
thing to do is require cookies be enabled?
Bill
--
Bill Rausch, Software Development, Unix, Mac, Windows
Numerical Applications, Inc. 509-943-0861 [EMAIL PROTECTED]
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
