birbal Posted October 14, 2010 Share Posted October 14, 2010 i have registration page...after successful registration i have a redirection to the login page. in login page i will catch the data which i send embded with url in the redirection.and will check it in login page. if match then access garnte dotherwise "denied". till now alll are working fine. but i have doubton it... is it secure to send login data via get? i am sending login nick and password...should i stick with the process or there is any other secure way to do it? Link to comment Share on other sites More sharing options...
skaterdav85 Posted October 14, 2010 Share Posted October 14, 2010 im not totally sure but i think that data can be intercepted by a sniffer program like paros. It might be more secure and better in terms of usability if you log the user in once they have registered. Link to comment Share on other sites More sharing options...
dsonesuk Posted October 14, 2010 Share Posted October 14, 2010 address bar dropdown, and history will have the values shown within the link, using session would be a better option. Link to comment Share on other sites More sharing options...
birbal Posted October 14, 2010 Author Share Posted October 14, 2010 im not totally sure but i think that data can be intercepted by a sniffer program like paros. It might be more secure and better in terms of usability if you log the user in once they have registered. It might be more secure and better in terms of usability if you log the user in once they have registered.1) do you mean that i should give sessions as authenticated user after registration? Link to comment Share on other sites More sharing options...
skaterdav85 Posted October 14, 2010 Share Posted October 14, 2010 1) do you mean that i should give sessions as authenticated user after registration?ya. i think that's how a lot of sites do it. once you register, you are already logged in. add the user to the database and assign the username to a session variable. if the query fails, don't assign a session. Link to comment Share on other sites More sharing options...
wirehopper Posted October 14, 2010 Share Posted October 14, 2010 Use post for login data, adding SSL would be even better. Link to comment Share on other sites More sharing options...
birbal Posted October 15, 2010 Author Share Posted October 15, 2010 al right got it. thanks to all of you...but i see some sites which pass session id embded with url.(every link). in those site you can log in simulatnously with more than one user id. if you put sesid field blank or any wrong id (supose you have two id logged but you put a session id which dont exist on those ids) it will show a page session has expired. i dont get the working style of these site. how does they work then?someidnumebr1 and someidnumber2 is some session id for userid 1 and userid2 http://somesite.com/sid=someidnumber1 http://somesite.com/sid=someidnumber2 how to check session has been expired or not?i dont know i enable to express my question or not. :/ Link to comment Share on other sites More sharing options...
Synook Posted October 15, 2010 Share Posted October 15, 2010 The querystring is used to pass round the SID, as an alternative to the usual method of using cookies. Deleting the session cookie has the same effect as removing the querystring - the server will lose track of the session. You can theoretically have multiple sessions active at the same time no matter which system is used. Link to comment Share on other sites More sharing options...
birbal Posted October 15, 2010 Author Share Posted October 15, 2010 The querystring is used to pass round the SID, as an alternative to the usual method of using cookies. Deleting the session cookie has the same effect as removing the querystring - the server will lose track of the session. You can theoretically have multiple sessions active at the same time no matter which system is used.yes..but these site also put a cookie. if you deleted it. in next load of page they put a cookie again. i have doubt why are they for. if they are using sesid with url.actually i am thinking same like this site. so in this purpose how they check that a session has expired or not? have a doubt.as i am thinking for my code ...1) pass the session id with url2) in the recpient page it will check the database that session exist or not (custom session in database)3) if exist it will show up the page and will update the sessions.4) if does not exist will show the session expire page or redirect to the logout.is that correct way logicaly or in the basis of security?correct me please. Link to comment Share on other sites More sharing options...
Synook Posted October 15, 2010 Share Posted October 15, 2010 Why don't you just use the native session functionality? Link to comment Share on other sites More sharing options...
birbal Posted October 16, 2010 Author Share Posted October 16, 2010 Why don't you just use the native session functionality?i am not sure what do u mean by native session. i guess you are talking about default session handling.i want to track total sessions i have for users so..... Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.