On Wednesday 26 January 2005 06:58, Chris W. Parker wrote: > The basic idea for restricting access goes like this: > > A value is set in a cookie on the clients machine if the user > successfully authenticates. The website will not allow access to the > page(s) unless this value is found. No what it really should be doing is setting a cookie, this cookie only contains an identifier which (of course) unqiuely identifies the user. When the server receives the cookie, it checks whether the identifier is deemed to be logged in and act accordingly. > Although this sounds pretty simple you have to keep in mind it's not > very secure. Since cookies reside on the clients machine, the client > could manipulate the cookie and pretend to be logged in. The above will prevent this. However it does not prevent session hijacking -- google for more info. -- Jason Wong -> Gremlins Associates -> www.gremlins.biz Open Source Software Systems Integrators * Web Design & Hosting * Internet & Intranet Applications Development * ------------------------------------------ Search the list archives before you post http://marc.theaimsgroup.com/?l=php-general ------------------------------------------ New Year Resolution: Ignore top posted posts -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
