to use session cookies or not to use session cookies
Posted: Sat Aug 04, 2007 11:34 pm
I was wondering what was more secure using session cookies or not using session cookies... whats the pros and cons?
Thanks!
Thanks!
A community of PHP developers offering assistance, advice, discussion, and friendship.
http://forums.devnetwork.net/
Thats what I thought. Any suggestions on how to prevent stealing a session from computer to computer?astions wrote:That's another issue, you can't check the IP because a lot of times it can change per page request. This usually happens with AOL users because they route http requests through clusters of proxy servers.
good idea. i think thats what myspace does with MyTokenastions wrote:You can somewhat mitigate the risk of sessions being hijacked by changing the session id often, maybe even per page request.
Hehe, I've stolen a "MyToken" before and was automatically logged into their account after loading it into my cookies. It didn't work the last time I did it though, and a good thing, too. If any website on the entire internet should put more effort into security, it's MySpace.tecktalkcm0391 wrote:good idea. i think thats what myspace does with MyTokenastions wrote:You can somewhat mitigate the risk of sessions being hijacked by changing the session id often, maybe even per page request.
Yeah they need to be... expecially because I can login using just the letters in my password in any case...superdezign wrote:If any website on the entire internet should put more effort into security, it's MySpace.
password - works
pAssword - works
PASSWORD -- works... ect.
Case-insensitive passwords? That's.... that's dumb.tecktalkcm0391 wrote:Yeah they need to be... expecially because I can login using just the letters in my password in any case...superdezign wrote:If any website on the entire internet should put more effort into security, it's MySpace.
password - works
pAssword - works
PASSWORD -- works... ect.
Yeah, but myspace passwords should be encrypted, and isn't it easier to guess passwords that are all lowercase then something like: PasSWOrD07astions wrote:Hmm, that probably means they are either not encrypting them, or they are converting them to lower case or upper case before encrypting them.