username and password
View Single Post
06-28-2009, 02:08 AM
Join Date: Sep 2007
Originally Posted by
@VI Would you suggest binding the random ID to an IP to prevent black-hats from using the session when the user is logged in?
No, IP is not a good method of validating. IPs can change in a session and there are ways to spoof them. This method is about as secure as it comes, it is very similar to what we are doing for an internal file transfer site for our company (a mortgage banker).
HTTP is a stateless connection meaning there is no possible way to know for absolute certain that you are talking to the same person. The only way you can know is to have very hard to spoof data to validate on both ends, this data can always be stolen or faked. To circumvent this the data should change as often as possible so that a cracker's attempt will prove useless before long.
I personally stick away from server side sessions, they have harder to find insecurities and have been less realiable in regards to consistancy from my experience.
View Public Profile
Send a private message to Village Idiot
Find More Posts by Village Idiot