web-security methods, advice please!
Madison Kelly
linux-5ZoueyuiTZhBDgjK7y7TUQ at public.gmane.org
Wed Jan 3 04:52:55 UTC 2007
Fraser Campbell wrote:
> On Sunday 31 December 2006 19:53, Madison Kelly wrote:
>
>> - To create this session hash I create a random number and store it
>> in the database. I look at the current date on the server and then I
>> combine: [UID + Random # + Date + Client UA + Client IP Address] and
>> create a simple SHA256 base64 hash.
>
> I have tried this and I would say you at least have to drop the IP address
> (perhaps not, depends on what traffic you're expecting).
>
> There are clients where you can't depend on a user coming from the same IP all
> the time, they are proxied and the proxy can change from click to click (this
> was the case with AOL about 2 years ago when I was checking into it).
>
That's three or four recommendations to drop the IP, so yeah, it's gone. :)
Mady
--
The Toronto Linux Users Group. Meetings: http://gtalug.org/
TLUG requests: Linux topics, No HTML, wrap text below 80 columns
How to UNSUBSCRIBE: http://gtalug.org/wiki/Mailing_lists
More information about the Legacy
mailing list