|
|
|
|
02-08-2004, 05:05 AM
|
#1 |
Session IDs?
I'm working on a site, and I plan to use some sort of sessions for
login. To avoid issues with cookies, it will pass the session ID around in a get parameter. However, if someone wants to end a link to their friends, they may send the session ID as well by mistake. What should I do to stop that? Leif K-Brooks |
|
|
|
02-08-2004, 05:52 AM
|
#2 |
|
Posts: n/a
|
Re: Session IDs?
Quoth the raven named Leif K-Brooks:
> I'm working on a site, and I plan to use some sort of sessions for > login. To avoid issues with cookies, it will pass the session ID > around in a get parameter. However, if someone wants to end a link > to their friends, they may send the session ID as well by mistake. > What should I do to stop that? Don't use a GET value, use a session variable, and check for it on the other pages. PHP: $_SESSION['yourvarname'] = $_REQUEST['formfieldname']; -- -bts -This space intentionally left blank. |
|
|
|
02-08-2004, 06:22 AM
|
#3 |
|
Posts: n/a
|
Re: Session IDs?
Beauregard T. Shagnasty wrote:
> Quoth the raven named Leif K-Brooks: > >> I'm working on a site, and I plan to use some sort of sessions for >> login. To avoid issues with cookies, it will pass the session ID >> around in a get parameter. However, if someone wants to end a link >> to their friends, they may send the session ID as well by mistake. >> What should I do to stop that? > > Don't use a GET value, use a session variable, and check for it on the > other pages. > > PHP: > $_SESSION['yourvarname'] = $_REQUEST['formfieldname']; Thanks, but I'm trying to set up my own session system using mod_python, and I'm trying to figure out the best way to pass the ID around. |
|
|
|
02-08-2004, 06:46 AM
|
#4 |
|
Posts: n/a
|
Re: Session IDs?
"Leif K-Brooks" <> wrote in message news:4BkVb.1268$... > Beauregard T. Shagnasty wrote: > > Quoth the raven named Leif K-Brooks: > > > >> I'm working on a site, and I plan to use some sort of sessions for > >> login. To avoid issues with cookies, it will pass the session ID > >> around in a get parameter. However, if someone wants to end a link > >> to their friends, they may send the session ID as well by mistake. > >> What should I do to stop that? > > > > Don't use a GET value, use a session variable, and check for it on the > > other pages. > > > > PHP: > > $_SESSION['yourvarname'] = $_REQUEST['formfieldname']; > > Thanks, but I'm trying to set up my own session system using mod_python, > and I'm trying to figure out the best way to pass the ID around. There's only 4 ways you can move the data around the site... GET (in querystring), POST (in form object), SESSION (in session object), COOKIE (write a cookie to their 'pooter) You don't want to do Cookie in the event they have cookies turned off... you don't want to do Get because they could end up passing on their login info to other users... That leaves either POST or SESSION.... post is probably out of the question because just to implement it would be not impossible but a real pain in the ass and could cause a few problems here and there So that leaves the Session Object |
|
|
|
02-08-2004, 07:03 AM
|
#5 |
|
Posts: n/a
|
Re: Session IDs?
Augustus wrote:
>>Thanks, but I'm trying to set up my own session system using mod_python, >>and I'm trying to figure out the best way to pass the ID around. > > > There's only 4 ways you can move the data around the site... GET (in > querystring), POST (in form object), SESSION (in session object), COOKIE > (write a cookie to their 'pooter) <snip> > So that leaves the Session Object Right, and how do you propose passing a session ID around in the session object I won't have until I can pass the session ID around? |
|
|
|
02-08-2004, 08:55 AM
|
#6 |
|
Posts: n/a
|
Re: Session IDs?
Augustus wrote:
> There's only 4 ways you can move the data around the site... GET (in > querystring), POST (in form object), SESSION (in session object), COOKIE > (write a cookie to their 'pooter) What exactly you you thing this "session object" *is*??? I'll tell you: it's a user-friendly wrapper around cookies, usually with the ability to drop back to using the query string for those browsers that don't support cookies. So no, the mysterious "session object" is not an option here because Leif has already stipulated that he doesn't want to rely on cookies and has some problems with the query string. My advice to Leif would be twofold: 1. Provide an "e-mail this page to a friend" link. Make sure you have a prominent "we will not sell your address to spammers" notice nearby. 2. Keep a record of the IP address with each session. If you get a request for a session from a different IP address, then it's likely that this is a different person, so redirect them to a different session. This isn't foolproof, but it's a good start. Even better would be to not avoid cookies: use cookies, fall back to query string for browsers that don't do cookies, then implement #2 above only for those browsers that are using the fall-back mechanism. -- Toby A Inkster BSc (Hons) ARCS Contact Me - http://www.goddamn.co.uk/tobyink/?page=132 |
|
|
|
02-08-2004, 09:50 AM
|
#7 |
|
Posts: n/a
|
Re: Session IDs?
Toby A Inkster wrote:
> 1. Provide an "e-mail this page to a friend" link. Make sure you have a > prominent "we will not sell your address to spammers" notice nearby. Might work, but people might want to post the page to a forum or some such. > 2. Keep a record of the IP address with each session. If you get a request > for a session from a different IP address, then it's likely that this is a > different person, so redirect them to a different session. Interesting idea, but doesn't AOL change IP for every request? As much as I hate AOL, I can't exclude its users. > Even better would be to not avoid cookies: use cookies, fall back to query > string for browsers that don't do cookies, then implement #2 above only > for those browsers that are using the fall-back mechanism. Thanks, good idea. I think I'll try that. |
|
|
|
02-08-2004, 10:32 AM
|
#8 |
|
Posts: n/a
|
Re: Session IDs?
Leif K-Brooks wrote:
> doesn't AOL change IP for every request? I've checked my logs and yes, they do seem to. How irritating. -- Toby A Inkster BSc (Hons) ARCS Contact Me - http://www.goddamn.co.uk/tobyink/?page=132 |
|
|
|
02-08-2004, 11:53 AM
|
#9 |
|
Posts: n/a
|
Re: Session IDs?
"Leif K-Brooks" <> wrote in message news:asjVb.1264$... > I'm working on a site, and I plan to use some sort of sessions for > login. To avoid issues with cookies, it will pass the session ID around > in a get parameter. However, if someone wants to end a link to their > friends, they may send the session ID as well by mistake. What should I > do to stop that? Been following this thread with interest  Question: Why exactly do you require me to "login" to the site? Usually if I come across such a site I very quickly go elsewhere. With all due respect if it is for something important like a banking site then the very act of asking this question here immediatetly disqualifies you from building such a site. Real security requires much more than just a session cookie, SSL at least and all sorts of other things. Cheers Richard. |
|
|
|
02-08-2004, 12:51 PM
|
#10 |
|
Posts: n/a
|
Re: Session IDs?
rf wrote:
> Question: Why exactly do you require me to "login" to the site? It will be a community type site, with forums and such. I plan to make everything which can not require login (viewing forums, for instance), but things like posting will really need the user to login. > With all due respect if it is for something important like a banking site > then the very act of asking this question here immediatetly disqualifies you > from building such a site. Real security requires much more than just a > session cookie, SSL at least and all sorts of other things. I'm not too worried about extreme security, there would only be virtual game money at stake. |
|
|
