[dev] multiple different user logins

Michael Bull mbull@uoguelph.ca
Wed, 29 Nov 2000 10:22:50 -0500


At 12:10 PM 28/11/2000 -0500, you wrote:
>Quoting Michael Bull <mbull@uoguelph.ca>:
>
> > What are the operational differences between cookies and get mode 
> sessions?
> > What's the tradeoff?
>
>Well, the main one is that with url-based (get mode), the session id is right
>there in the URL, in log files, in proxies.... etc. It decreases security and
>privacy a bit.

The exposure being that if someone can read that session ID while the 
session in still active, they could conceivably 'hijack' control of one's 
session, right?
Whereas this is harder to do with cookies, but still possible with malcious 
scripts? (I'm just trying to get a feel for the overall topic of security 
of one's session so I know what context to put this in).

That exposure would go away if session IDs were associated with IPs, 
right?   Is there any reason that this isn't done? (ie, knowing that 
session x is owned by 127.0.0.1, and that sessions shouldn't shift ips?) I 
imagine this would have to be a PHP thing... unless IMP captures the IP as 
a session variable and there is someway to check that it hasn't changed?
(I ask this as a question as I'm not fully up on how IMP's built or if it's 
even possible... I can't think of any particular reason why this isn't 
done, but I'll defer to those with more experience).