 |
Account Login
|
 |
|
Latest Articles
|
|
|
IRC Channel
|
|
|
Associates
|
|
|
Associates
|
|
|
|
Article Reviews |
|
Very nice
|
|
|
|
Review added by SoN9ne
on 02-16-2010
|
|
This was a great read and very useful to any programmer. I enjoyed reading the article and have noticed a few typos, lol. As for the IP issue, I agree but there are ways to use part of the IP to help with session fixation which you only seemed to slightly touch.
I enjoyed this article very much, thanks for taking the time to post it.
|
|
|
A good read.
|
|
|
|
Review added by andformore
on 01-16-2010
|
|
|
Thanks for this article. Overall, it was a good read. Most of the information in there I have picked up throughout my life, but this type of thing would have been very very helpful to me in my earlier days of programming. Anyone who is dealing with seesions and doesnt know much about them should definitely read this :-)
|
|
|
IPs should be used for validation, but complemented with another token
|
|
|
|
Review added by Dog Cow
on 02-03-2009
|
|
You say in the second-to-last paragraph that "As you can see, validating logins by IP is not a good way."
Well, I am of the belief that IP address _should_ be validated in ALL cases, but should not be left at that. In other words, complement IP address session validation with something else, such as a session ID which is sent by cookie, or by also comparing the browser's user-agent. Using all 3 is probably one of the best methods of validating a session.
If IP address is NOT validated, then that actually makes it easier to hijack a session, since that's one less barrier to have to overcome.
|
|
|
Nice article
|
|
|
|
Review added by t3st
on 11-27-2008
|
|
|
Nice article i like it. THnx for this wonderful article to read.
|
|
|
Member's Menu
|
|
|
|
|
All times are GMT. The time now is 05:01 PM.
Join the friendly bunch on IRC...
