Cees Hek wrote:
On Tue, 2 Nov 2004 15:02:11 +0200 (IST), Gabor Szabo <suppressed> wrote:The problem arises when I want to add further information to the "sessions" table. I'd like to be able to control how many times each user is logged on at the same time. (Usually that will be <= 1 as we don't want clients to use the same login information from multiple locations).What I would do in this case is use the username as the session ID. This will work if your sessions are only used for logged in users. Itwill allow you to find the session that belongs to a specific logged in user, and guarantees that there will ever only be one session per user.
I could be wrong, but that seems really insecure. After login, the user could change their cookie (or session id) to be some other user's name and then masquarade as the other user (changing passwords, settings, seeing confidencial data, and other general mucking around). Since user names are usually based on names and email addresses they should be *really* easy to guess.
--
Michael Peters
Developer
Plus Three, LP
---------------------------------------------------------------------
Web Archive: http://www.mail-archive.com/suppressed/
http://marc.theaimsgroup.com/?l=cgiapp&r=1&w=2
To unsubscribe, e-mail: suppressed
For additional commands, e-mail: suppressed
Mail converted by mhonarc 2.6.15
This archive provided courtesy of JSW4.NET, Internet Hosting Services for Small Business.