[nycphp-talk] Chris Shiftlett's Session Example
Nasir Zubair
nasir81 at gmail.com
Wed Aug 3 21:30:10 EDT 2005
One thing that comes to mind is that sometimes users will hand off the
URL with session ID to a robot (downloader/screen scraper), which can
emulate the USER_AGENT. However, if you store it in the cookie as
well, you'll know when the robot is unable to reproduce the cookie
variables.
Just a thought.
On 8/3/05, Joseph Crawford <codebowl at gmail.com> wrote:
> http://shiflett.org/code/http-developers-handbook/session_example.phps
>
> guys i have a few questions about this.
>
> here is the snipplet i am concerned with
>
> # Make sure the user agent is correct
> $ua_should_be = urldecode($parsed_cookie['ua']);
> if ($_SERVER ['HTTP_USER_AGENT'] != $ua_should_be)
> {
> $identity_validated = false;
> }
>
> does that seem redundant to anyone else? Why would you store a value in a
> cookie (on the clients machine) and then use that to compare to php's
> HTTP_USER_AGENT, couldnt the client just edit the cookie to be the same?
> Then once they go to the page it will see it as valid.
>
>
> --
> Joseph Crawford Jr.
> Codebowl Solutions, Inc.
> 1-802-671-2021
> codebowl at gmail.com
> _______________________________________________
> New York PHP Talk Mailing List
> AMP Technology
> Supporting Apache, MySQL and PHP
> http://lists.nyphp.org/mailman/listinfo/talk
> http://www.nyphp.org
>
>
--
Nasir Zubair
http://www.nasir.us/
More information about the talk
mailing list