[nycphp-talk] Session Thoughts
felix zaslavskiy
felix at students.poly.edu
Fri Oct 31 14:45:46 EST 2003
On Fri, 31 Oct 2003 11:35:08 -0800 (PST)
Chris Shiflett <shiflett at php.net> wrote:
> --- Keith Richardson <keith.richardson at thompsonhealth.com> wrote:
> > for a little bit of stability, you could store the session id and
> > ip address in a database
>
> A Web application should only use data in the HTTP layer in most
> cases. The only exception is if you are in a very controlled
> environment with a specific pool of users. If you are developing a
> Web application for public users, using anything from the TCP/IP
> layer is probably going to cause problems for your legitimate users
> and doesn't really offer any advantages.
>
> > i would think of looking at some other source code, like phpbb
>
> I think it would be better to observe the practices of places like
> Amazon and Yahoo.
By this you mean ssl + reask password for sensitive functions ?
Reasking the password i think is a bit of overkill if a site with no money is involved.
> phpBB and many open source PHP applications are
> very poor examples of a lot of things, especially security. Dan's
> emails to this list demonstrate that.
>
> Chris
>
> =====
> My Blog
> http://shiflett.org/
> HTTP Developer's Handbook
> http://httphandbook.org/
> RAMP Training Courses
> http://www.nyphp.org/ramp
> _______________________________________________
> talk mailing list
> talk at lists.nyphp.org
> http://lists.nyphp.org/mailman/listinfo/talk
>
More information about the talk
mailing list