andrew has asked for the wisdom of the Perl Monks concerning the following question:

Currently I am storing sessions in my MySQL database and Im using the time and I.P to clarify the user. But the probmlem is if people are on a router like a whole comapny, then there going to see someone whois logged in cause theyll have the same ip. This just struck me and hints, or suggestons??

Replies are listed 'Best First'.
Re: Sessions Vrs. Cookies
by dws (Chancellor) on Oct 04, 2002 at 19:04 UTC
    I'm using the time and IP (address) to clarify the user.

    As you've noted, the IP address isn't reliable. The two primary alternatives are Cookies (either session cookies or more permanent ones), or embedding a session id in URLs.

    The advantage of using a Cookie is that you can maintain the session across static pages. The URL approach pretty much requires that all pages by dynamic.

    My advice is to read up on cookies. merlyn has several columns that will help you get up to speed.

[reply]
Re: Sessions Vrs. Cookies
by swiftone (Curate) on Oct 04, 2002 at 19:08 UTC
[reply]
Re: Sessions Vrs. Cookies
by SFLEX (Chaplain) on Dec 08, 2006 at 11:18 UTC
    Your close to the right track in using the time and IP to tell the clients appart.
    But what I did to also tell the clients appart is format a session key with the users name, pass, IP and date expires.
    that way if a client has the same IP the clients session ID would have to be formated with the other info and the way I have it coded.
    It keeps track of the last time the client has authenticated and if the clienst access a page in less then one second it returns an error "Please Allow 1 seconds wait befor next page".
    Hoping it will slow a brute force attack on the session ID.

    I think using a hidden form field for the users authentication would be nice.
    Only if it stay'ed in a hidden form field. once the session ID is passed through a link then you get into a security issue of the session ID being in the clients Referrer. From there the session ID can be seen by other sites.

    Im not the best at session's and am still finding new ways to authenticate the clients.
[reply]
Re: Sessions Vrs. Cookies
by andrew (Acolyte) on Oct 04, 2002 at 21:03 UTC
    im trying not to use cookies!!
[reply]
      If you don't want to use cookies to maintain state, then you can try storing a session identifier in a hidden form field in each page -- it is easily retreived. I think this was the approach taken in the days before Netscape introduced cookies. An alternative is url-encoded session keys (this is the Java approach when cookies are not enabled in the web client). Good Luck!

      PCS
[reply]
        If you don't want to use cookies to maintain state, then you can try storing a session identifier in a hidden form field in each page -- it is easily retreived.

        Hidden fields only work with forms.

[reply]

Back to Seekers of Perl Wisdom