On Friday 28 January 2005 17:57, Perrin Harkins wrote:
> On Thu, 2005-01-27 at 22:44 -0700, Gordon Haverland wrote:
> > What am I working on in particular? Well, I really don't
> > want to see any sessions of my project get hijacked. So,
> > reading PerlMonks and other stuff, I happened across a
> > comment by Randal Schwartz about "branding" a browser
> > session. So, I am putting the IP, user agent, sessionID, and
> > a few other things, along with a HMAC_SHA1 digest of that
> > data and a 160 bit random number into the values part of a
> > cookie (session cookie).
>
> I suggest you avoid using IP, unless this is an intranet site
> where you have control over the network. Users who come
> through proxies (i.e. AOL and other large ISPs) can change
> their IP on every request.
Yep, I've read about that problem/characteristic, and also brought
it up with my local Linux Users Group with respect to 2 different
projects (one for the LUG, one outside). In this particular part
of the world, apparently this isn't much of a problem (changing
IPs from proxies). However, if a person can't trust the remote
IP to stay the same; the only other characteristic I've seen with
which to "brand" a browser is the user_agent_string. And that
one piece of information isn't unique enough for my purposes. Do
you have suggestions of other information which can be used to
"brand" a session?
Thanks,
Gord
_______________________________________________
maypole mailing list
maypole at lists.netthink.co.uk
http://lists.netthink.co.uk/listinfo/maypole
This archive was generated by hypermail 2.1.3 : Thu Feb 24 2005 - 22:25:58 GMT