On Mon, Feb 25, 2008 at 12:43 PM, Robert Cummings <robert@xxxxxxxxxxxxx> wrote: > On Mon, 2008-02-25 at 12:28 -0500, Steve Finkelstein wrote: > > Hi folks, > > > > I just completed my first reading of Advanced PHP Programming by > > George Schlossnagle and was very impressed and thankful for the wealth > > of information with examples provided by George. > > > > With that said, there is a chapter dedicated to Authentication using > > client-side cookies and encrypting a user id amongst other meta data > > using mcrypt. > > > > My question to the community is -- I'd like to try something similar > > to this approach for an application I'm working on. Although I'm a bit > > concerned as in the event of XSS or something of that nature, what if > > a userid a compromised and manipulated? Is it unlikely with George's > > encryption algorithms? > > > > I figured it would be redundant to store the user ID in a $_SESSION as > > well as I need a variable to pop the user id into for my queries. > > > > Anyhow, the class is certainly a welcome addition as far as I'm > > concerned.. but at the same time I'm paranoid someone figuring out the > > encryption on a cookie, manipulating it with an arbitrary user id, and > > then being able to have complete authorization to another users data. > > > > Thank you for your $.02! > > I would never store the user ID in the cookie. The session ID itself is > sufficient to find the user ID. Why open up more avenues for attack? you should see code igniter; they want to dump all the session data in a cookie; absolute madness :O -nathan
