will it be safe?

[birbal]

i have registration page...after successful registration i have a redirection to the login page. in login page i will catch the data which i send embded with url in the redirection.and will check it in login page. if match then access garnte dotherwise "denied". till now alll are working fine. but i have doubton it... is it secure to send login data via get? i am sending login nick and password...should i stick with the process or there is any other secure way to do it?

[skaterdav85]

im not totally sure but i think that data can be intercepted by a sniffer program like paros. It might be more secure and better in terms of usability if you log the user in once they have registered.

[dsonesuk]

address bar dropdown, and history will have the values shown within the link, using session would be a better option.

[birbal]

im not totally sure but i think that data can be intercepted by a sniffer program like paros. It might be more secure and better in terms of usability if you log the user in once they have registered.

It might be more secure and better in terms of usability if you log the user in once they have registered.

1) do you mean that i should give sessions as authenticated user after registration?

[skaterdav85]

1) do you mean that i should give sessions as authenticated user after registration?

ya. i think that's how a lot of sites do it. once you register, you are already logged in. add the user to the database and assign the username to a session variable. if the query fails, don't assign a session.

[wirehopper]

Use post for login data, adding SSL would be even better.

[birbal]

al right got it. thanks to all of you...but i see some sites which pass session id embded with url.(every link). in those site you can log in simulatnously with more than one user id. if you put sesid field blank or any wrong id (supose you have two id logged but you put a session id which dont exist on those ids) it will show a page session has expired. i dont get the working style of these site. how does they work then?someidnumebr1 and someidnumber2 is some session id for userid 1 and userid2

http://somesite.com/sid=someidnumber1

http://somesite.com/sid=someidnumber2

how to check session has been expired or not?i dont know i enable to express my question or not. :/

[Synook]

The querystring is used to pass round the SID, as an alternative to the usual method of using cookies. Deleting the session cookie has the same effect as removing the querystring - the server will lose track of the session. You can theoretically have multiple sessions active at the same time no matter which system is used.

[birbal]

The querystring is used to pass round the SID, as an alternative to the usual method of using cookies. Deleting the session cookie has the same effect as removing the querystring - the server will lose track of the session. You can theoretically have multiple sessions active at the same time no matter which system is used.

yes..but these site also put a cookie. if you deleted it. in next load of page they put a cookie again. i have doubt why are they for. if they are using sesid with url.actually i am thinking same like this site. so in this purpose how they check that a session has expired or not? have a doubt.as i am thinking for my code ...1) pass the session id with url2) in the recpient page it will check the database that session exist or not (custom session in database)3) if exist it will show up the page and will update the sessions.4) if does not exist will show the session expire page or redirect to the logout.is that correct way logicaly or in the basis of security?correct me please.

[Synook]

Why don't you just use the native session functionality?

[birbal]

Why don't you just use the native session functionality?

i am not sure what do u mean by native session. i guess you are talking about default session handling.i want to track total sessions i have for users so.....