web-security methods, advice please!
Fraser Campbell
fraser-eicrhRFjby5dCsDujFhwbypxlwaOVQ5f at public.gmane.org
Wed Jan 3 04:38:33 UTC 2007
On Sunday 31 December 2006 19:53, Madison Kelly wrote:
> - To create this session hash I create a random number and store it
> in the database. I look at the current date on the server and then I
> combine: [UID + Random # + Date + Client UA + Client IP Address] and
> create a simple SHA256 base64 hash.
I have tried this and I would say you at least have to drop the IP address
(perhaps not, depends on what traffic you're expecting).
There are clients where you can't depend on a user coming from the same IP all
the time, they are proxied and the proxy can change from click to click (this
was the case with AOL about 2 years ago when I was checking into it).
--
Fraser Campbell <fraser-Txk5XLRqZ6CsTnJN9+BGXg at public.gmane.org> http://www.wehave.net/
Georgetown, Ontario, Canada Debian GNU/Linux
--
The Toronto Linux Users Group. Meetings: http://gtalug.org/
TLUG requests: Linux topics, No HTML, wrap text below 80 columns
How to UNSUBSCRIBE: http://gtalug.org/wiki/Mailing_lists
More information about the Legacy
mailing list