On Fri, 2005-01-28 at 18:07 -0700, Gordon Haverland wrote:
> Do
> you have suggestions of other information which can be used to
> "brand" a session?
Well, what are you trying to do? If you want to avoid people tampering
with the contents of your cookie or making up their own session IDs, an
HMAC is all you need. If you're trying to keep people from packet
sniffing cookies and using them, nothing short of SSL will be enough.
Using things like IP and User-Agent is a false-confidence builder if
you're dealing with someone sophisticated enough to steal cookies with a
packet sniffer.
- Perrin
_______________________________________________
maypole mailing list
maypole at lists.netthink.co.uk
http://lists.netthink.co.uk/listinfo/maypole
This archive was generated by hypermail 2.1.3 : Thu Feb 24 2005 - 22:25:58 GMT