Hi. Working on my new website and have run into something I have thought on before, but never really analyzed. I am making my site using PHP4 sessions propogated only through the url. no cookies. (why add cases in code for something that isn\'t 100% guaranteed when there is another way to do that is 100%, right?).
Well, i\'ve run into a problem. If someone logs in and is browsing around and finds a page they want to share with a friend. (say, a forum post). They then copy the url out of the their browser and post it in IRC, say. Someone clicks the link to see what\'s up.
When that second person gets there, they\'ve become logged in as the first person because their session id matches (since it was in the url).
Can this be avoided? I\'ve thought on it a bit. You could use the remote IP address and check to see if it matches what it was when the user logged in when something important happens (like a password change) and if it\'s different, that means that it\'s a different person then the one who logged in. Right? Well, unfortunately, it could just be that the person is behind a proxy farm as someone pointed out in the comments on the PHP manual. You could ask for password verification when something big happens, but then doesn\'t this make being \"logged in\" pointless anyway? There\'s got to be some way to solve this problem that addresses these issues:
The correct person can\'t be mistaken for an intruder. An intruder can\'t be mistaken for the correct person. The system can\'t be so bogged down by security measures that it makes logging in pointless anyway.
Any solutions? thoughts, ideas? anything will help.
Thanks
