[Gllug] IP address changes
Russell Howe
rhowe at siksai.co.uk
Sun Nov 26 23:12:50 UTC 2006
On Sun, Nov 26, 2006 at 08:17:15PM +0000, Alain Williams wrote:
> OK: let's turn the question around: is it worth protecting against session
> hijacking, if so how to do it ? I don't want the cost of https.
>
> The sessions that I use are PHP ones where the PHPSESSID cookie contains
> a large random number that is used to identify the cookie.
For plain ol' HTTP, I guess ensuring your session IDs are indeed not
guessable or predictable, and securing your pages against cross site
scripting attacks and the like is about as good as you can do, I expect.
If you're serving to a general audience, then so many clients will be
running malware that even going the HTTPS route probably doesn't gain you
a whole load of security anyway...
--
Russell Howe | Why be just another cog in the machine,
rhowe at siksai.co.uk | when you can be the spanner in the works?
-------------- next part --------------
--
Gllug mailing list - Gllug at gllug.org.uk
http://lists.gllug.org.uk/mailman/listinfo/gllug
More information about the GLLUG
mailing list