View Thread

HellBound Hackers | Computer General | Increasing Security

Author

Can this be done, and how accurate would it be?

Mb0742
Member

Posts: 189
Location:
Joined: 26.11.07
Rank: Hacker Level 2

Posted on 26-06-08 09:54

I am starting a website and my main desire is to protect my member's as much as I can I have taken the steps to ensure safe cookies, like basing them off the IP of the user. However the site is one where you can purchase items off and when dealing with money you can never be too safe. The problem is that, yes, an IP based of an IP is safe however a person on the same network can still exploit a flaw or what-not then inject the stolen cookies without the IP check doing anything.

So now with my theory - if the cookies are based not only on IP but also on when they were set it would be impossible to inject. So does PHP have a function to check when a cookie was set and if so how accurate is it?

Thanks everyone.

Author

RE: Can this be done, and how accurate would it be?

Uber0n
Member

Posts: 1963
Location: Sweden‭‮
Joined: 13.06.06
Rank: God

Posted on 26-06-08 10:25

Mb0742 wrote:
The problem is that, yes, an IP based of an IP is safe however a person on the same network can still exploit a flaw or what-not then inject the stolen cookies without the IP check doing anything.

True. Many admins who use IP-based sessions underestimate this risk.

So now with my theory - if the cookies are based not only on IP but also on when they were set it would be impossible to inject. So does PHP have a function to check when a cookie was set and if so how accurate is it?

No idea