in reply to Re: Re: Re: Session identification (was: Game).
in thread Game.

Yes, but if you give them 20-char session IDs, their chances of guessing someone elses are really quite low. Very, very low. Tiny, in fact.

Of course, this doesn't stop someone hijacking their session. For this, you would want to send a different session number with every page, and only allow them to continue if you get it back with the request for the next page. Quite difficult to do, and very annoying for them if they want to browse in two windows at the same time. Or use SSL.

____________________
Jeremy
I didn't believe in evil until I dated it.

  • Comment on Re: Re: Re: Re: Session identification (was: Game).

Replies are listed 'Best First'.
Re: Re: Re: Re: Re: Session identification (was: Game).
by Vynce (Friar) on Jun 06, 2001 at 10:51 UTC

    and if they go back 3 pages and do somethign different so that they are using the session ID from 3 requests ago, are they just out of luck?

    or, to be a little more explicit,
    actionsends session_ID
    user comes to siten/a
    server serves main pagen/a
    user logs inn/a
    server shows logged-in page123
    user requests page 52123
    server gives page 52456
    user requests page 52-c456
    server gives page 52-c135
    user requests page 52-f135
    server gives page 52-f237
    user hits "back" to go
    back to login screen
    and requests page 38    		123
    server was expecting 237 ... what does it do??

    this case, and others like it, make me think this method is unworkable. but maybe you see it differently; maybe i'm overlooking something, or maybe you just are willing to do more work than i am. but if it will continue to accept old session_ID's, then why bother changing them? and if it won't, i think a lot of people are going to be upset at the inability to "back".

[reply]
      Yes, that's why it's annoying. Well spotted. Use SSL instead.

      This system was common at one point in time - it's not so bad, you just have to use the navigation buttons the site provides.

      ____________________
      Jeremy
      I didn't believe in evil until I dated it.

[reply]

In Section Seekers of Perl Wisdom