RE: security

Wouldn't it be best to run security like this:

User logs in, gets their session ID.

The system checks to ensure that that session is currently active, and
not spoofed, based on IP, Browser, OS type.  And that the data coming
to/from that session, is what is should be exactly, without any other
input.

Basically saying that if the request was for table5, field6, row7, only
that could be inputted/extracted.  Any addition information, would
create a security violation alert, alerting both the user, and site
admin.

I wouldn't want someone with a valid session, to get info from table5,
field6, row8, just because he altered the URL.

Just a thought.

Michael

-----Original Message-----
From: Albert Lash 
[mailto:alash-tHZu4XM3tDUE4HWnolEugJowlv4uC7bZ@xxxxxxxxxxxxxxxx] 
Sent: Friday, May 31, 2002 11:02 AM
To: dev-zNu2Yekbks92Brm55YPRC3dfcadvtA/q@xxxxxxxxxxxxxxxx
Subject: [binarycloud-dev] security


Hey Alex,

A couple of days ago I was talking about how to return user specific
data, the $client->user_id thing to incorporate into a SQL query. I was
thinking it would be great practice to link a random id to each user.
This in essence doesn't prevent break-ins, but makes it harder to guess
what anothers users name or id would be. It seems like such a bad idea
to use an auto increment index as user id's.

- Alby


---------------------------------------------------------------------
To unsubscribe, e-mail: 
dev-unsubscribe-zNu2Yekbks92Brm55YPRC3dfcadvtA/q@xxxxxxxxxxxxxxxx
For additional commands, e-mail: 
dev-help-zNu2Yekbks92Brm55YPRC3dfcadvtA/q@xxxxxxxxxxxxxxxx

smime.p7s
Description: S/MIME cryptographic signature