Quoting jblanchard@xxxxxxxxxx:
You could just store a username, since they have already authenticated, but a cookie with just a username would be easy to duplicate. My current thought is to hash a checksum of some sort and storing that in the cookie as well. That way you avoid the username only problem. I do not want to store the users password in any format in the cookie. I am thinking that the login script will cause a cookie to be written (via PHP) with a base64 encoded (http://www.php.net/manual/en/function.base64-encode.php) string or some other hash method. Then that string could be decoded when the user accesses the intranet site and compared against whatever criteria you deem necessary.
Okay, I'm following all of this. So I could take, say, the username reversed and encode it, then decode it in the PHP application, and be safe as long as nobody ever figures out what I'm encoding and how I'm encoding it. What would be great would be if the value that gets encoded could somehow be dynamic (like the current time, or even a randomly generated string). But then how would the PHP script know what the decoded value is supposed to be? Hmmm...something to think about.
I have not tested this though. It is on my task list for next week though. :)
Let us know how it goes! Thanks, Rick -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
