TalkPHP - View Single Post

_HItman47 · 02-21-2008, 01:56 PM

Hey man,
You could generate some long random string or number, which you use as session ID. So, you store this string, as it is, in your db, and put that string, encrypted with xor algorithm, in cookie. You can use user ip address, as encryption key, so, when you see that user has that cookie set to some value, you decrypt it using that user ip, and if everything is ok, you'll get real session ID.

the only advantage of this method, compared to standard php session, is that that session id is attached to ip, so, if "hacker" will steal that session ID to do some filthy things, he wount be able to do this from another computer(if, ofcourse, he does not know about your implementation of sessionID encryption)

and sorry for my ugly English :)

02-21-2008, 01:56 PM	#8 (permalink)
_HItman47 The Visitor Join Date: Feb 2008 Posts: 1 Thanks: 0	Hey man, You could generate some long random string or number, which you use as session ID. So, you store this string, as it is, in your db, and put that string, encrypted with xor algorithm, in cookie. You can use user ip address, as encryption key, so, when you see that user has that cookie set to some value, you decrypt it using that user ip, and if everything is ok, you'll get real session ID. the only advantage of this method, compared to standard php session, is that that session id is attached to ip, so, if "hacker" will steal that session ID to do some filthy things, he wount be able to do this from another computer(if, ofcourse, he does not know about your implementation of sessionID encryption) and sorry for my ugly English :)