Jump to content

will it be safe?


birbal
 Share

Recommended Posts

i have registration page...after successful registration i have a redirection to the login page. in login page i will catch the data which i send embded with url in the redirection.and will check it in login page. if match then access garnte dotherwise "denied". till now alll are working fine. but i have doubton it... is it secure to send login data via get? i am sending login nick and password...should i stick with the process or there is any other secure way to do it?

Link to comment
Share on other sites

im not totally sure but i think that data can be intercepted by a sniffer program like paros. It might be more secure and better in terms of usability if you log the user in once they have registered.
It might be more secure and better in terms of usability if you log the user in once they have registered.
1) do you mean that i should give sessions as authenticated user after registration?
Link to comment
Share on other sites

1) do you mean that i should give sessions as authenticated user after registration?
ya. i think that's how a lot of sites do it. once you register, you are already logged in. add the user to the database and assign the username to a session variable. if the query fails, don't assign a session.
Link to comment
Share on other sites

al right got it. thanks to all of you...but i see some sites which pass session id embded with url.(every link). in those site you can log in simulatnously with more than one user id. if you put sesid field blank or any wrong id (supose you have two id logged but you put a session id which dont exist on those ids) it will show a page session has expired. i dont get the working style of these site. how does they work then?someidnumebr1 and someidnumber2 is some session id for userid 1 and userid2

http://somesite.com/sid=someidnumber1

http://somesite.com/sid=someidnumber2

how to check session has been expired or not?i dont know i enable to express my question or not. :/

Link to comment
Share on other sites

The querystring is used to pass round the SID, as an alternative to the usual method of using cookies. Deleting the session cookie has the same effect as removing the querystring - the server will lose track of the session. You can theoretically have multiple sessions active at the same time no matter which system is used.

Link to comment
Share on other sites

The querystring is used to pass round the SID, as an alternative to the usual method of using cookies. Deleting the session cookie has the same effect as removing the querystring - the server will lose track of the session. You can theoretically have multiple sessions active at the same time no matter which system is used.
yes..but these site also put a cookie. if you deleted it. in next load of page they put a cookie again. i have doubt why are they for. if they are using sesid with url.actually i am thinking same like this site. so in this purpose how they check that a session has expired or not? have a doubt.as i am thinking for my code ...1) pass the session id with url2) in the recpient page it will check the database that session exist or not (custom session in database)3) if exist it will show up the page and will update the sessions.4) if does not exist will show the session expire page or redirect to the logout.is that correct way logicaly or in the basis of security?correct me please. Edited by birbal
Link to comment
Share on other sites

Why don't you just use the native session functionality?
i am not sure what do u mean by native session. i guess you are talking about default session handling.i want to track total sessions i have for users so.....
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

×
×
  • Create New...