Re: maintaining [user] state without a session ...

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 




On Tue, March 4, 2008 8:22 am, Bojan Tesanovic wrote:
> Hi,
> It depends what do you need to track,
> if you need to track small amount of variables you can do it by cookie
> I often use it eg here is the state for one user
> $state = array{
> 'logedin'=>true,
> 'n'=>'Peter',
> 'id'=>'5',
> //anything else you need
> }
>
> //at end of you script before outputing any content
> //set cookie only for browser session and set path to '/'  so it is
> available through whole site
> setcookie('user_data',serialize($state),null,'/');

Woof.

So anybody with half a clue could look in their cookies and change,
say, 'id' to '1' and masquerade as anybody they want in your system.

And with an 'id' of '1', they might even getting CMS 'admin' access or
something.

Probably not a Good Idea...

You could, perhaps, use a 2-way encryption algorithm and try to keep
your key as securely as possible, and do this much more safely.

> Also you can use some way to detect if the user is not Search engine
> to display message like
> "To properly use this site you need to enable cookies in your browser
> bla bla ...."
>
> This can be done via JS alert message which will not be triggered by
> SE but only by real user

Use robots.txt to keep out "real" search engines.

Anybody who REALLY wants to can run your JS with Webmonkey, the JS
engine of Firefox, released as a stand-alone command line tool.
(E.g., JS email obfuscation is useless against somebody with
webmonkey.  Try it and see!)

-- 
Some people have a "gift" link here.
Know what I want?
I want you to buy a CD from some indie artist.
http://cdbaby.com/from/lynch
Yeah, I get a buck. So?


-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php


[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux