On 4/9/07, Peter Lauri <lists@xxxxxxxxxxx> wrote:
> -----Original Message----- > From: Tijnema ! [mailto:tijnema@xxxxxxxxx] > Sent: Monday, April 09, 2007 5:38 PM > To: Martin Marques > Cc: Ólafur Waage; php-general@xxxxxxxxxxxxx > Subject: Re: Session Authentication > > On 4/9/07, Martin Marques <martin@xxxxxxxxxxxxxxx> wrote: > > Tijnema ! escribió: > > > On 4/9/07, Martin Marques <martin@xxxxxxxxxxxxxxx> wrote: > > >> > > >> Yes: > > >> > > >> Don't use transparent session id, or even better, save the > > >> authentication in a cookie on the client (seperated from the session > > >> array). > > > > > > And then the user would crack the cookie .... > > > I know they are encrypted, but trust me, cookies can be edited. > > > > So what? The user authenticated himself, so what is he gonna crack? > Yes, but i guess you're not only storing if the user has > authenticated, also storing a username? > > And if that's not the case, then you could authenticate by creating a > cookie where it says authenticated = yes, and you're authenticated... > > Tijnema > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php [Peter Lauri - DWS Asia] If cookies were that unsecured so you could create your own cookies that easily, then would cookies exist? Best regards, Peter Lauri
Cookies are old, so in the time they were introduced, today it is possible to create and modify cookies with some good tools. These tools are illegal, but every cracker is 99% illegal right? But that means i can't give you these tools to proof it, but it is possible. Tijnema -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php