On Tue, May 29, 2007 10:36 am, Jared Farrish wrote: >> But the point here is that both pieces of information required to >> authenticate that client are stored on the client. If someone can >> get >> one of them they can get the other, so it's no more secure than just >> accepting the one cookie without bothering to authenticate it in any >> way. > > The token isn't any more secure than tokenizing a user agent and > salting it > into a digest. The client still knows what their user agent string > says, and > this string can also be guessed (how random can they be?), but at > least you > can manipulate a secondary hash key per day/hour, week, whatever. The token is LESS secure, because it's obvious what you are doing -- You are sending out a clear red flag to a Bad Guy that they need this extra token to get back in. If they can get the first cookie, they can get the second just as easily. You've added zero extra security. -- Some people have a "gift" link here. Know what I want? I want you to buy a CD from some indie artist. http://cdbaby.com/browse/from/lynch Yeah, I get a buck. So? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
