Em Segunda 09 Abril 2007 12:37, Tijnema ! escreveu: > On 4/9/07, Martin Marques <martin@xxxxxxxxxxxxxxx> wrote: > > Tijnema ! escribió: > > > On 4/9/07, Martin Marques <martin@xxxxxxxxxxxxxxx> wrote: > > >> Yes: > > >> > > >> Don't use transparent session id, or even better, save the > > >> authentication in a cookie on the client (seperated from the session > > >> array). > > > > > > And then the user would crack the cookie .... > > > I know they are encrypted, but trust me, cookies can be edited. > > > > So what? The user authenticated himself, so what is he gonna crack? > > Yes, but i guess you're not only storing if the user has > authenticated, also storing a username? > > And if that's not the case, then you could authenticate by creating a > cookie where it says authenticated = yes, and you're authenticated... > > Tijnema ... and we get a security crater... =] -- Davi Vidal davividal@xxxxxxxxxxxxxxxx davividal@xxxxxxxxx -- Agora com fortune: "Crito, I owe a cock to Asclepius; will you remember to pay the debt? -- Socrates' last words" -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
