Hi folks, I just completed my first reading of Advanced PHP Programming by George Schlossnagle and was very impressed and thankful for the wealth of information with examples provided by George. With that said, there is a chapter dedicated to Authentication using client-side cookies and encrypting a user id amongst other meta data using mcrypt. My question to the community is -- I'd like to try something similar to this approach for an application I'm working on. Although I'm a bit concerned as in the event of XSS or something of that nature, what if a userid a compromised and manipulated? Is it unlikely with George's encryption algorithms? I figured it would be redundant to store the user ID in a $_SESSION as well as I need a variable to pop the user id into for my queries. Anyhow, the class is certainly a welcome addition as far as I'm concerned.. but at the same time I'm paranoid someone figuring out the encryption on a cookie, manipulating it with an arbitrary user id, and then being able to have complete authorization to another users data. Thank you for your $.02! /sf -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
