Peter Lauri wrote:
-----Original Message-----
From: Tijnema ! [mailto:tijnema@xxxxxxxxx]
Sent: Monday, April 09, 2007 5:38 PM
To: Martin Marques
Cc: Ólafur Waage; php-general@xxxxxxxxxxxxx
Subject: Re: Session Authentication
On 4/9/07, Martin Marques <martin@xxxxxxxxxxxxxxx> wrote:
Tijnema ! escribió:
On 4/9/07, Martin Marques <martin@xxxxxxxxxxxxxxx> wrote:
Yes:
Don't use transparent session id, or even better, save the
authentication in a cookie on the client (seperated from the session
array).
And then the user would crack the cookie ....
I know they are encrypted, but trust me, cookies can be edited.
So what? The user authenticated himself, so what is he gonna crack?
Yes, but i guess you're not only storing if the user has
authenticated, also storing a username?
And if that's not the case, then you could authenticate by creating a
cookie where it says authenticated = yes, and you're authenticated...
Tijnema
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
[Peter Lauri - DWS Asia]
If cookies were that unsecured so you could create your own cookies that
easily, then would cookies exist?
Cookies really are that insecure, which is why you *don't* use them to
store whether the user has authenticated. You store that in the session
and use a cookie purely to identify the session.
The main thing to remember is that cookies are transmitted between
client and server for every request. This means that they *can* be
faked. Sessions live only on the server making them a lot more secure,
but by no means completely secure.
-Stut
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
