Re: Why are they more secure?

Greetings, NC.
In reply to Your message dated Monday, March 31, 2008, 22:27:18,

every sane developer does not believe in session ID itself, but insted
he/she use the SessionID+$_SERVER['REMOTE_ADDRESS'] combination.
And whenever the second one changed, either reset session or discard
cookie sent.

This is the recipe for trouble with AOL users, whose IP addresses may
change sporadically.

Bad for them, if it is true. And there is always a chance for normal ISP with
sane routing schemes.

Not to mention the fact that IP address is fairly easy to spoof...

It is a bit off-topic here as it is a matter of lower-level network conflict
resolution. At application level, You have little chance to detect such
attacks, if they passed through network layer.

In closing, if Your data THAT sensitive (or You're that paranoidal), use
HTTPS.


--
Sincerely Yours, AnrDaemon <anrdaemon@xxxxxxxxxxx>

.

Relevant Pages

  • Re: [RFC] x86: xsave/xrstor support, ucontext_t extensions
    ... work 100% reliably because whatever cookie you put in could have been ... there before by chance. ... If they weren't zeroed *by the kernel*, there might have been an information leak. ... More majordomo info at http://vger.kernel.org/majordomo-info.html ...
    (Linux-Kernel)
  • Re: All those poor people
    ... > and I'm so comfortable with it I instantly discard the answers to a, ... there it may have a chance to kill itself in isolation and not ... Prev by Date: ...
    (uk.rec.sheds)
  • Re: Chances of (random(0,n) + random(0,n) <= m)
    ... > If m is greater than n, the chances are n squared minus something. ... you break off the opposite corner and discard it. ... Keeping the corner is the SumOfIntegers. ... > would be nice to be able to display the chance of killing the target. ...
    (sci.math)
  • Re: Session Management for Newbie
    ... Less chance for error. ... So - as long as I explicitly reference $_SESSIONwhen continuing a session, I'm not subject to the security vulnerabilities of register_globals, right? ... I notice that PHP puts it in the query string. ... PHP can put it in a cookie if the user has cookies enabled. ...
    (comp.lang.php)
  • Re: MVC - Model binding to collection
    ... Sorry I've been tied up all of last week and not had chance to try our work ... FormCollection approach in my project and received the same result. ... please feel free to let me know and discard. ... Microsoft Online Support ...
    (microsoft.public.dotnet.framework.aspnet)