Re: Is this a secure way to handle login?

Depends on how secure you need it to be.

Any person that is able to sniff the get query (to obtain the session id) and can spoof the IP of the the machine that made the original query would be able to circumvent your security.

Comment on Re: Is this a secure way to handle login?

Replies are listed 'Best First'.
Re: Re: Is this a secure way to handle login? by tipthepizzaguy (Initiate) on Mar 28, 2002 at 05:16 UTC
I know a hacker can sniff the session ID from the URL, so that's the reason for a random number. I don't see how they can spoof the user IP. That comes from the environment variable. Both are needed for security. There will be a new random number assigned the next time the same user logs in. It will also record a new user IP (some users have dynamic IPs.)	[reply]
Re: Re: Re: Is this a secure way to handle login? by tipthepizzaguy (Initiate) on Mar 28, 2002 at 05:46 UTC
Now I'm wondering if I the session ID# is redundant. Why not just save the user IP (environment variable) to a temp file when they login? Compare that to the user IP (environment variable) upon page load.	[reply]
Re: Re: Re: Is this a secure way to handle login? by Molt (Chaplain) on Apr 11, 2002 at 13:08 UTC
It is possible to spoof an IP address, do a websearch for 'IP spoofing' and you'll find a fair few pages about it.. you may not know how to do it, but intruders sure do. You can't trust anything you receive, so it's often a good idea to make sure anything you want to be truly secure is protected by a HTTPS layer. Without HTTPS assume anything that's sent can be intercepted, and anything incoming can be forged. Don't forget also that one user may have multiple sessions running concurrently, or use 'Open In New Window/New Tab' to 'split' the user path, thus limiting the usefulness of changing numbers on a per-request basis. This is a significantly non-trivial task, using a prebuilt is generally far, far easier.. especially if your own security knowledge is limited.	[reply]