Re: Re: The sound of one cookie (not) authenticating

So, no cookies, eh? Check to see whether the unique module is available anyway (assuming you're using Apache).

It sounds to me like all you can get to reidentify an individual is what you can get through vanilla CGI and possibly javascript, and you want security on sessions.

Good luck. You might do OK by making the session ID a combination of IP, user agent string, and any other info you can get from the user's client automatically (see a Javascript reference for that sort of thing) that might differ between different client programs (or different instance of the same client programs). I.e. if you know that if this is a different useragent OR different IP OR different (whatever), you say "sorry, but I can't verify your identity."

Nothing along these lines is going to be perfect in preventing another user 'hijacking' a session ID. (e.g. a computer lab with 25 machines all running IE 5.5 sp 1 on WinNT that access the site via NAT are all going to come out the same on all these criteria, unless there's some unique ID for each copy of the browser program, but even that's going to be vendor-dependent).

I suppose you could use the PIII's ID and an ActiveX control or some such ... =) (j/k)

If this is a real "shopping cart," I'd suggest you reconsider your hosting situation. If it's an exercise, well, nice brain teaser.

Philosophy can be made out of anything. Or less -- Jerry A. Fodor

Comment on Re: Re: The sound of one cookie (not) authenticating

Replies are listed 'Best First'.
Do not use IP for any kind of web authentication!! by merlyn (Sage) on Apr 03, 2001 at 18:24 UTC
Do not use IP. Do not use IP. Do not use IP. IP can change from one hit to the next (think "AOL"). IP can be the same for many different users (think "AOL" or every corporate or ISP proxy). If the answer is "IP", you've asked the wrong question. {grin} -- Randal L. Schwartz, Perl hacker	[reply]
Re: Re: Re: The sound of one cookie (not) authenticating by Hero Zzyzzx (Curate) on Apr 03, 2001 at 17:27 UTC
Arturo: You hit the nail on the head with my issues here, and why I'm somewhat stumped. This isn't an exercise, and I think probably a lot of people with minimal e-commerce sites are in my situation, though they may not be as much of a purist as I. I may end up just going back to cookies. I do like the "store session id in form data" idea mentioned a couple of answers back, though I need to think fully through the security ramifications. I'll report back on what I decide to do.	[reply]
Re: Re: Re: Re: The sound of one cookie (not) authenticating by arturo (Vicar) on Apr 03, 2001 at 17:32 UTC
Not that I meant to be yelling "homework!" 'Cos even if it was homework, I think you're asking the right kind of question in the right kind of way (it's not a 'write this code for me' kind of question, it's a "how the heck would I do this?" question). AFA cookies and 'purism' go, since the cookie is used only to verify that this is indeed the same client program as before (and otherwise holds no info about the user), you could tell your users that your site uses cookies, for what purpose, and tell them that they're not otherwise used to track the user or gather information about them. Give them links to erase their sessions, etc. Last gasp: I don't know how user gives you payment information, but if you have SSL, there's some more session ID possibility in that ... Philosophy can be made out of anything. Or less -- Jerry A. Fodor	[reply]