|
|
Re: PHP encryption again: msg#00009php.tcphp
On 03/15/2005 10:50 AM, Paul Bramscher <brams006-OJFnDUYgAso@xxxxxxxxxxxxxxxx> wrote: > My point was that fully cloning the client puts the hacker into a > position where the server-side manipulations, regardless of what they > are, will be to no avail. You can keep adding more steps, but it's > pointless. The hacker has *become* the client in the server's eyes, so > any manipulations to the session, etc. will be performed to the hacker > identically as for the authenticated user. Not true if you re-calculate the hash and compare it to the value stored in the cookie. If the hash contains the browser's User-Agent header, for example, and the hacker is using a different browser, the hash will not be the same. Recommend reading: http://shiflett.org/articles/the-truth-about-sessions Pay particular attention to the 'Preventing Impersonation' section. Paul |
|
| <Prev in Thread] | Current Thread | [Next in Thread> |
|---|---|---|
| Previous by Date: | Re: PHP Architect magazine: 00009, Josh Trutwin |
|---|---|
| Next by Date: | Re: PHP encryption again: 00009, Paul Bramscher |
| Previous by Thread: | Re: PHP encryption againi: 00009, Richard Thomas |
| Next by Thread: | Re: PHP encryption again: 00009, Paul Bramscher |
| Indexes: | [Date] [Thread] [Top] [All Lists] |
| News | FAQ | advertise |