[Subject Prev][Subject Next][Thread Prev][Thread Next][Subject Index][Thread Index]

Re: Tracking user session

hi !

Since no body here told me how to use mod_session module in Apache.

I have thought of  a small 'n simple method to track user session.

what i do is....

after authenticating the user name + passwrd.

I have a table with 2 cols. username, logintime
I enter the above in the database.(i'm using time_t to store the moment the
session was created.)

then with each subsequent page. the cgis check the existance of a session by
comparing usernames.(usernames are passed by appending href links like
href=newcgi?username )

the a check is performed like currenttime - session.logintime
and the official session timeout in second can be set.

Security fails in the way...that Anyone without knowing the password of a
user can log on to his account "simply" by
1. appending the html tags to the usersid
2. spoofing his IP with my webservers.
3. knowing the .htaccess password
4. and do all this while the user is online ! ;o)

If anyone else has acheived this by mod_session please tell me how u did
that ?
so i wont have to write my cookie program !