> -----Message d'origine----- > De : Tijnema ! [mailto:tijnema@xxxxxxxxx] > Envoyé : lundi 9 avril 2007 17:55 > À : Peter Lauri > Cc : Martin Marques; Ólafur Waage; php-general@xxxxxxxxxxxxx > Objet : Re: Session Authentication > > On 4/9/07, Peter Lauri <lists@xxxxxxxxxxx> wrote: > > > > > > > -----Original Message----- > > > From: Tijnema ! [mailto:tijnema@xxxxxxxxx] > > > Sent: Monday, April 09, 2007 5:38 PM > > > To: Martin Marques > > > Cc: Ólafur Waage; php-general@xxxxxxxxxxxxx > > > Subject: Re: Session Authentication > > > > > > On 4/9/07, Martin Marques <martin@xxxxxxxxxxxxxxx> wrote: > > > > Tijnema ! escribió: > > > > > On 4/9/07, Martin Marques <martin@xxxxxxxxxxxxxxx> wrote: > > > > >> > > > > >> Yes: > > > > >> > > > > >> Don't use transparent session id, or even better, save the > > > > >> authentication in a cookie on the client (seperated from the > > > > >> session array). > > > > > > > > > > And then the user would crack the cookie .... > > > > > I know they are encrypted, but trust me, cookies can > be edited. > > > > > > > > So what? The user authenticated himself, so what is he > gonna crack? > > > Yes, but i guess you're not only storing if the user has > > > authenticated, also storing a username? > > > > > > And if that's not the case, then you could authenticate > by creating > > > a cookie where it says authenticated = yes, and you're > authenticated... > > > > > > Tijnema > > > > > > -- > > > PHP General Mailing List (http://www.php.net/) To unsubscribe, > > > visit: http://www.php.net/unsub.php > > > > [Peter Lauri - DWS Asia] > > > > If cookies were that unsecured so you could create your own cookies > > that easily, then would cookies exist? > > > > Best regards, > > Peter Lauri > > Cookies are old, so in the time they were introduced, today > it is possible to create and modify cookies with some good > tools. These tools are illegal, but every cracker is 99% > illegal right? But that means i can't give you these tools to > proof it, but it is possible. > > Tijnema Whatever, really your bosting for nothing IMO, ethereal is available to everyone for sniffing cookie info, so is firefox cookie editor, and http live headers... What is so "hideous" about these tools? I use all of them to trouble shoot my websites while under developpment... Really the way to securing web application is learning to hack them or learning what hacks are possible.. And stop feeling superior sir! Regards, Tim -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php