[snip] First, let me apologize for having to take it to a basic level. I'll admit that I'm fairly new to web development, but this is something I could *really* use at work and I want to make sure I understand (just to set the stage, we use Windows/Active Directory/MS SQL Server at work, but have decided that future applications will be written in PHP run on Linux/Apache). So I have a login script that sets a cookie when the user logs in. Then I have an application written in PHP that reads the cookie for authentication purposes. What would I store in the cookie? Would the username be sufficient (since the cookie was set, we can assume that it was already authenticated through AD, right), or is there something more I can add to the cookie to make the process more secure? Which leads back to my original question; what would keep me from setting a cookie with, say, my manager's username, fooling the PHP application into thinking I'm her? [/snip] You could just store a username, since they have already authenticated, but a cookie with just a username would be easy to duplicate. My current thought is to hash a checksum of some sort and storing that in the cookie as well. That way you avoid the username only problem. I do not want to store the users password in any format in the cookie. I am thinking that the login script will cause a cookie to be written (via PHP) with a base64 encoded (http://www.php.net/manual/en/function.base64-encode.php) string or some other hash method. Then that string could be decoded when the user accesses the intranet site and compared against whatever criteria you deem necessary. I have not tested this though. It is on my task list for next week though. :) So, you could set a cookie with your manager's name, but it wouldn't work. You would also have to know how to encode a string properly for storage in the cookie. Read http://www.php.net/manual/en/function.setcookie.php for more information on cookies. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
