Sorry for late reply..
Anyway, not having used php4 sessions yet I can only comment on the way
phplib does this.
You can use URL or cookie propogation of session data. If that's the
case, the first time you visit a site you get the session data in the
URL but after that cookies are used (since the site knows your browser
supports cookies). I disabled the use of URL session data as I came
across the same problems, although with phplib, a user who types the
URL(+session data) into their own browser was able to access _that_
single page but no other page..
data in the URL, or use hidden fields and forms around your links..
As you said before, a timeout provides some form of protection. Set to 5
minutes or less and the link should become "logged out". Of course, that
affects usability too. :(
>> This is a post I sent to php-general and posted on PHPBuilder.com and
> Zend.com. So far, nobody's responded with anything sensible (why do people
> not read posts?). [More below the post...]
> I want to use PHP4 sessions for authentication, but I'm having difficulty
> understanding how to get around users spoofing, stealing or linking
> sessions. Here's an example: Alice sends Bob a link from a site she's logged
Maintained by the ILUG website team. The aim of Linux.ie is to
support and help commercial and private users of Linux in Ireland. You can
display ILUG news in your own webpages, read backend
information to find out how. Networking services kindly provided by HEAnet, server kindly donated by
Dell. Linux is a trademark of Linus Torvalds,
used with permission. No penguins were harmed in the production or maintenance
of this highly praised website. Looking for the
Indian Linux Users' Group? Try here. If you've read all this and aren't a lawyer: you should be!