On Mon, 2008-02-25 at 12:28 -0500, Steve Finkelstein wrote: > Hi folks, > > I just completed my first reading of Advanced PHP Programming by > George Schlossnagle and was very impressed and thankful for the wealth > of information with examples provided by George. > > With that said, there is a chapter dedicated to Authentication using > client-side cookies and encrypting a user id amongst other meta data > using mcrypt. > > My question to the community is -- I'd like to try something similar > to this approach for an application I'm working on. Although I'm a bit > concerned as in the event of XSS or something of that nature, what if > a userid a compromised and manipulated? Is it unlikely with George's > encryption algorithms? > > I figured it would be redundant to store the user ID in a $_SESSION as > well as I need a variable to pop the user id into for my queries. > > Anyhow, the class is certainly a welcome addition as far as I'm > concerned.. but at the same time I'm paranoid someone figuring out the > encryption on a cookie, manipulating it with an arbitrary user id, and > then being able to have complete authorization to another users data. > > Thank you for your $.02! I would never store the user ID in the cookie. The session ID itself is sufficient to find the user ID. Why open up more avenues for attack? Cheers, Rob. -- .------------------------------------------------------------. | InterJinn Application Framework - http://www.interjinn.com | :------------------------------------------------------------: | An application and templating framework for PHP. Boasting | | a powerful, scalable system for accessing system services | | such as forms, properties, sessions, and caches. InterJinn | | also provides an extremely flexible architecture for | | creating re-usable components quickly and easily. | `------------------------------------------------------------' -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
