Re: Re: Re: (not so) Invisible Cookies

Replies are listed 'Best First'.
Re: Re: Re: Re: (not so) Invisible Cookies by Ovid (Cardinal) on Nov 02, 2002 at 23:07 UTC
Yes, that's better, but it does guarantee that some users will not be able to use your site. The user might be sitting behind a proxy that uses a different IP address with every request. AOL users, for example, have a different IP address almost every time they connect. Thus, if anyone connects to your site using an IP address that someone else has used, they'll gain access to the other person's session. You want to use some form of random session ID that times out. One caveat, though: do not use sequential IDs. If someone connects and has a session ID of "307920" and the previous person had "307919", then someone can easily change their cookie value to hijack someone else's session. Random session IDs that time out in a relatively short period of time stand the best chance of avoiding a session hijacking issue. Also, I should mention that you want the session start time to be stored on the server and not relying on the "-expires" key in your cookie. You maintain control over the session timeout yourself and you don't have to worry about someone changing their clock on their computer (or worse, having a non-standards compliant browser ignoring the timeout value for the cookie). Cheers, Ovid Join the Perlmonks Setiathome Group or just click on the the link and check out our stats.	[reply]
Re: Re: Re: Re: (not so) Invisible Cookies by Anonymous Monk on Nov 03, 2002 at 01:00 UTC
Not really. That won't work for multiple proxy setups such as AOL, and it will break if you've got two users behind the same NAT gateway. I would reccomend using some sort of session tracking system instead. Check out CGI::Session.	[reply]