How To Dynamic Web Rendering?
Nick Sabalausky
a at a.a
Sun May 15 13:37:37 PDT 2011
"Adam D. Ruppe" <destructionator at gmail.com> wrote in message
news:iqp7gu$7l6$1 at digitalmars.com...
>
> (BTW, PHP's automatic session handling *only* uses the session id.
> This leaves it open to trivial session hijacking. In web.d, the
> session functions automatically check IP address and user agent
> as well as cookies. It can still be hijacked in some places, but
> it's a little harder. To prevent hijacking in all situations,
> https is a required part of the solution, and the cgi library can't
> force that unilaterally. Well, maybe it could, but it'd suck.)
>
My understanding is that you CANNOT assume different requests in the same
session from the same computer are coming from the same IP. Apperently there
are a lot of networks, such as corporate networks and anonymizing networks,
which will cause different requests from the same user to wind up coming
from different IPs.
The *ONLY* reliable way to prevent session hijacking without breaking your
site for many users is to force everything (and I mean EVERYTHING) through
https from the time the session is created to the time the session is
killed.
Yes, that does suck, but you'll certainly never see me claim that the web
isn't the absolute worst, piece of shit excuse for an "applications
platform" in history.
One of the reasons for this particular mess (besides the whole "shoving
applications through a stateless protocol" bullshit) is idiotic limitations
of cookies. More specifically, there isn't nearly enough you can do to
restrict the URLs for which the browser will send a particular cookie.
More information about the Digitalmars-d-learn
mailing list