| |
| |
| |
|
Page: 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35
Comments:
<0> I'd say that's reason enough
<1> i use OO more than anyone i know, and i still don't know what you're talking about
<2> itrebal: can I ask a freaking question?
<3> Artnez_: how would you remember a user's username without using a session. if the java guys can do it, there must be a way
<4> itrebal: Hehe :) it determines the mime-type by looking at more than the file extension, right?
<5> use a destructor
<3> Artnez_: i'm just curious really
<6> joh: yea
<1> davidbest: you cannot remember someone's username without sessions or cookie (session are really cookies)
<1> and tell the java guys to kiss their own ***, because they can't do it without cookies either
<6> Artnez_: sessions are not cookies
<7> Unless they're p***ing it through the query string or something.
<1> itrebal: i was being simplistic
<3> Artnez_: i doubt a java app is using cookies
<0> Artnez_: you can achieve data persistance without cookie.
<1> davidbest: java apps do not load multiple pages
<2> You most certainly cannot
<1> caffinated: you can, with a SESSIONID in the URL
<7> heh
<0> Artnez_: right.
<4> itrebal: Ok, great :)
<8> Artnez_: this was the script in it's entireity: http://ootput.pastebin.com/572103
<2> sessionid in the URL is white trash
<7> caffinated, how?
<0> AzMoo: see above
<6> Myconid: your dumb.
<5> lol your all funny
<2> itrebal: uhhuh..
<1> ootput: i don't get it, you want to have the array keys as the filenames?
<0> itrebal: I prefer the term 'misinformed'
<8> Artnez_: yep
<6> caffinated: i'll use that from now on :)
<0> :)
<7> caffinated, eh? See what?
<1> ootput: i'm not going to rewrite your code for you. but.. are you using php5 or 4?
<7> oh, sessionid
<3> all right, so using static variables, accessors, mutators, will not help
<3> it's impossible?
<8> Artnez_: 4
<1> davidbest: read my words. if you want to retain user data across *multiple page loads* it is impossible to do without cookies
<0> Artnez_: read mine. you are wrong.
<7> Artnez_, cookies or sessions
<1> you can come up with "ways", but validating based on a URL variable (the only other method) is like validating by IP address
<5> use the ip address log it with the time, log each hit
<1> caffinated: what am i wrong about?
<2> Epichero: you cant do that
<1> Epichero: IP address can easily be spoofed.
<5> i know
<2> Epichero: 75%+ of internet users do not have unique IP's
<5> its not practical
<2> there isnt a 1:1 mapping
<0> Artnez_: it is entirely possible to keep user data across page loads using a session ID in the URL
<0> Artnez_: it requires no cookies.
<1> caffinated: no ****, i said that twice
<5> it is possible to do it like that its stupid and irresponsible
<5> but its just a case in point
<6> "(01:45:08 PM) Artnez_: davidbest: read my words. if you want to retain user data across *multiple page loads* it is impossible to do without cookies"
<2> Having your sessionid in the URL is ugly
<1> thats the same as giving someone advice to validate by IP
<0> Artnez_: and then you turned around and said it wasn't possible
<1> caffinated: i guess i meant 'impractical'
<0> Artnez_: so do us a favour, and pick a stance
<1> but.. i was still right
<6> i smell a John Kerry!
<7> no dude, you weren't!
<1> it is impossible to retain user data across pages
<9> hi
<8> surfdue: missing a letter
<6> ...no...
<2> I was for sessionid's in the url before i was against them.
<1> because you aren't retain the user! you could be retaining multiple ones...
<1> because it isnt secure
<6> surfdue? havn't seen you in a while
<1> and its the equivalent of validating by IP
<5> You could also use ajax to simulate multiple pages
<6> *no* its *not*
<1> if someone asked you, 'can i retain a user's data based only on their ip' ... what would you say?
<1> you'd say no, because anyone and their grandmother can spoff that
<1> *spoof
<6> 'your dumb'
<5> i would say, go ahead try it and let them learn why they are stupid
<8> you're driving your car?
<9> same :)
<1> ootput: whats wrong wit hthe example i gave before?
<2> Artnez_: The issue with validating by IP isnt spoofing.. its fairly hard to spoof an IP address..
<10> proxy42.aol.com
<5> did you just say its hard to spoof an ip address?
<2> Artnez_: proxy/cache/etc is the concern
<0> Myconid is correct in this. it's transparent proxies you have to worry about.
<2> Epichero: yes.
<11> It is very easy to spoof an IP
<5> wow
<11> we use it at work all the time to test connections
<0> people on AOL may not even use the same IP from request to request.
<2> Epichero: it is nearly impossible without having access to the router that is responsible for the subnet.
<5> the tor network
<1> caffinated: i think that has changed
<1> the aol thing
<2> Epichero: using tor != spoofing
<11> Myconid, that isn't true either..
<1> i know what you're talking about though
<1> AOL used to have that issue for sure
<11> the originating IP can be modified at anytime
<11> and all the router does is p*** the message on
<0> Artnez_: that's possible, however the problem still exists (aol was just an example)
<1> and yes, it can *easily* be spoofed
<6> caffinated: why is there a caffinated and caffinat1d
<1> since it's all sent in the header
<0> itrebal: the other one is my machine at work.
<2> You cannot actively make connections with a spoofed IP
<5> two people the same proxy
<2> it doesnt work.
<6> caffinated: its a bitch when trying to do tab completion :)
<1> Myconid: you dont need to
<11> Myconid, you need to go sit in the cisco channel
<0> itrebal: oh, i can fix that
<11> Then come back and tell us how hard it is to spoof an IP
<2> Judd-MGT: you cant silly.
<0> there you go.
<2> Judd-MGT: you can send traffic claiming to be any IP you want.. sure..
<6> caffinated: your going to get to work and be like 'wtf?'
<6> thanks :)
<2> Judd-MGT: But over TCP you need to know the sequence number to ack..
<1> regardless, the issue at hand was whether or not you can retain user data without cookies -- the answer is no
<11> And the conversation here is HTTP based, so that is irrelevant Myconid
<1> because doing anything but cookies can easily be ****ed with
<1> thus not completing the objective
<2> Judd-MGT: Right.. which is why when you are discussing validating by IP, the arguement 'you should not do that because people can spoof IP's' is not a valid argument.
<6> Artnez_: cookies can 'easily be ****ed with'
<1> sessions can either be stored as cookies, or p***ed along in the URL. the former is the only way to go.
<5> you can serialize everything and keep p***ing it arround icky
<0> no, the session ID is p***ed along in that manner. the session is stored on the server.
<11> No that is a very valid argument Myconid, becuase you can send any number of spoofed IP messages to an HTTP server
<10> Y'all need to chill... at this point I think the person knows IP is a bad way to determine a luser.
<1> caffinated: this i know. all session data is stored on the server and the session ID is p***ed in our cookie (with a name like PHPSESSID i think)
<6> correct
<0> Artnez_: then stop making stupid ***ertions. say what you mean.
<2> Judd-MGT: If you send traffic to a server from an IP that isnt yours, your packets will enver get routed by the TCP stack to the webserver.. the machine will just drop them..
<1> which is why the session id must be regenerated on every use state change
<1> caffinated: am, you're just reading it in an argumentative manner
<10> Myconid take it to #networking
<11> See that is what you don't understand Myconid, that is very easy to byp*** as well..
<11> And if someone is smart enough to spoof the IP in the first place, they will already know how to avoid that issue..
<2> Judd-MGT: can I msg u to continue this?
<6> !tell Myconid about u
<2> itrebal: thank u
<11> There is nothing to continue Myconid.. You are simply wrong.. and I am gonna go back to work..
<5> session hijacking
<6> Myconid: i dont recommend you try the rule
<12> morning everyone
Return to
#php
or
Go to some related
logs:
slackware mouse xps m170
#css
gentoo i810_drv
ubuntu specify a mirror
gparted uncorrected errors
remove phpmyadmin
wifi-radar doesnt appear
ifconfig hw + SIOCSIFHWADDR: Invalid argument
gam_server smbumount
#kernel
|
|