apm
02-01-2000, 11:48 PM
i am implementing my own session program. ALthough it works fine i just hav a few questions regarding security ..
I know it would be a problem if the user has a SID and then sends it to a friend who then will try to use the same SID. WHich could pose a serious risk as the sessions var for user 1 will be availble to user 2 if the sid is not yet timed out. The best solution out htere was the ip adress solution. But i had a few doubts whici i wanted to get clarified.
Use ip address. From what i have heard the ip solution is the best unless[nbsp][nbsp]its from a proxy server which would mean that the ip address would keep changing with every call.
I was on the irc chat and some one told me this is not the case with proxy servers the ip address remains the same only the port keeps changing with every call. If this is the case then what is the information that ishould store in the sessvar so that the sid can be validated. SHould i store the ip and port or should i only store the ip addrs.
1) which of the above is true for proxy's the ip changes or only the port changes with every call the user makes.
2) If you connect htorugh a proxy will each user on the proxy have a diffrent ip addrs?
3) If not how would i go about solving the problem of validating SID with the user if a user is using the proxy server to connect. As in how would i prevent 2 users from having the same SID (incase one does a cut and paste from another) conencting thorugh the same proxy server. I guess i am looking for a little bit of logic "diagram".
I hope i am clear enuf in what i am lookign ofr. If you guys need some clarification just email me or post. I iwll be glad to help you help me out :)
thanks in advance
apoorva
I know it would be a problem if the user has a SID and then sends it to a friend who then will try to use the same SID. WHich could pose a serious risk as the sessions var for user 1 will be availble to user 2 if the sid is not yet timed out. The best solution out htere was the ip adress solution. But i had a few doubts whici i wanted to get clarified.
Use ip address. From what i have heard the ip solution is the best unless[nbsp][nbsp]its from a proxy server which would mean that the ip address would keep changing with every call.
I was on the irc chat and some one told me this is not the case with proxy servers the ip address remains the same only the port keeps changing with every call. If this is the case then what is the information that ishould store in the sessvar so that the sid can be validated. SHould i store the ip and port or should i only store the ip addrs.
1) which of the above is true for proxy's the ip changes or only the port changes with every call the user makes.
2) If you connect htorugh a proxy will each user on the proxy have a diffrent ip addrs?
3) If not how would i go about solving the problem of validating SID with the user if a user is using the proxy server to connect. As in how would i prevent 2 users from having the same SID (incase one does a cut and paste from another) conencting thorugh the same proxy server. I guess i am looking for a little bit of logic "diagram".
I hope i am clear enuf in what i am lookign ofr. If you guys need some clarification just email me or post. I iwll be glad to help you help me out :)
thanks in advance
apoorva