[nycphp-talk] Experts help needed (Sessions)
Chris Shiflett
shiflett at php.net
Sat Aug 6 17:46:48 EDT 2005
Joseph Crawford wrote:
> thanks if i implement this i will be doing it this way, basically
> storing the last 10 UA's and checking those, once one is found that
> doesnt match it increments a count.
I would store one user agent and increment a counter whenever a match is
found (not the other way around). Once that counter passes a certain
threshhold of your choosing, enforce user agent consistency.
I would reset the counter when a match is not found, otherwise the
purpose is lost.
> The count hits a certain # the session is destroyed, is that what
> you meant?
This is a pretty extreme reaction. A better approach is to prompt the
user for a password. After all, this approach isn't foolproof, and
neither is the implementation. There are situations (weird browser
behavior, HTTP proxies, errors in your code, etc.) that can cause a
legitimate user to fail one of your checks.
Hope that helps.
Chris
--
Chris Shiflett
Brain Bulb, The PHP Consultancy
http://brainbulb.com/
More information about the talk
mailing list