Re: How to build a web application the right way

---

• From: Jerry Stuckle <jstucklex@xxxxxxxxxxxxx>
• Date: Fri, 29 Dec 2006 20:57:36 -0500

---

larry@xxxxxxxxxxxxxxxxx wrote:

On Dec 29, 6:26 am, Vincent Delporte <just...@xxxxxxxx> wrote:

On 28 Dec 2006 12:06:53 -0800, "Anthony Smith" <mrsmi...@xxxxxxxxxxx>
wrote:

there a best practice for this. Currently what I do is have each page
include a check session include file. From what I read, this is how it should be done. Put the check in a

file, and include it first thing in all the pages.

And to take it to the next step you include thier remode address as
part of thier session check (md5 with ip and user name or something to
mix it up) so if someone were to intercept your session and try to take
over, the change in client IP (during the session) would void the
access.

VERY BAD IDEA!

First of all, there are providers like AOL who have multiple servers. Every time a user accesses the page they may come in on a different IP address.

And many companies have one server for the entire company (or at least a site). Anyone coming into your site would be coming from the same IP address. Since the two most likely places to intercept the packets are on either end of the link and you know your server's end is secure (or at least hope it is), this provides no protection whatsoever. Worse, it bugs some users while providing a false sense of security for others.

And other thing would be to put a time limit to the current session
access ( a session var with expiration time) so if some badguy got in
from a user abandoning a terminal with a live connection it would time
out regardless. (or/also maybe have a re-verification for
sensitive/delete/admin parts just to make sure) Just depends on how
paranoid you want to be.

This is a good idea. But then if someone stupidly leaves a computer signed on in a public place, there is a limit to how much you can do without hassling all of the other users of your site.

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@xxxxxxxxxxxxx
==================
.

---

• Follow-Ups:
  • Re: How to build a web application the right way
    • From: larry

• References:
  • How to build a web application the right way
    • From: Anthony Smith
  • Re: How to build a web application the right way
    • From: Vincent Delporte
  • Re: How to build a web application the right way
    • From: larry

• Prev by Date: ordering mysql request by part of a key
• Next by Date: Re: ordering mysql request by part of a key
• Previous by thread: Re: How to build a web application the right way
• Next by thread: Re: How to build a web application the right way
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: Is it possible at all to secure an unencrypted website? ... many other pages without sensitive content are not, which makes sense (secure ... where someone could intercept it ... the secure and unsecure parts used different ASP Session IDs. ... On the other hand, wouldn't any unencrypted (using http, not https) ... (microsoft.public.dotnet.framework.aspnet.security) Session Creation ... Is it possible to intercept the creation of a session ... Jorge ... (microsoft.public.dotnet.framework.aspnet.security) Re: Count visitors on my website ... logged in" in the original post ... without any user interaction. ... of his monitor and his session would still be open. ... JDS Computer Training Corp. ... (comp.lang.php) Re: Count visitors on my website ... logged in" in the original post ... of his monitor and his session would still be open. ... your concept is absolute tosh. ... JDS Computer Training Corp. ... (comp.lang.php) Re: Strange Session error please help ... because PHP was compiled without session support). ... Jerry Stuckle ... JDS Computer Training Corp. ... (comp.lang.php)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• Archive
• About
• Privacy
• Search
• Imprint

coding.derkeiler.com  > Archive  > PHP  > comp.lang.php  > 2006-12