[Typo3-dev] security suggestion for tipafriend ext
Ernesto Baschny
ernst at baschny.de
Wed Jun 9 11:06:53 CEST 2004
Hi!
On Wed, 9 Jun 2004, Andreas Otto wrote:
> On Tuesday 08 June 2004 23:55, Kasper Skårhøj wrote:
> > I don't think the session thing here improves anything - after all a
> > spammer wouldn't accept cookies and thus no sessions...
>
> Well, this depends on how you utilise the native PHP session functions. AFAIK
> Chi Hoang is using native sessions in his improvements.
> And because he is using native sessions no cookies will be needed if you
> enable session.use_trans_sid in the php.ini.
Which still doesn't avoid the spam problematic, since you can't avoid
someone to just strip the session-id from the GET-parameter (which is
where it will be placed in case of use_trans_sid).
It is not possible to maintain a session if the user doesn't want it, so I
don't think this is a good solution to the problem.
You could always keep track the posters IP and limit by IP, but this can
also be circumvented (switching IPs, using thousands of proxies, etc).
More information about the TYPO3-dev
mailing list