On Thu, 2008-05-29 at 14:20 -0600, DeadTOm wrote:
> So the user comes to the site and they're presented with a log in page.
> They enter their username and password and php checks a mysql database for
> a matching username and password.
> In the case of a match, php then sets a cookie on their browser with a
> value of 1 for authenticated and 0 for not authenticated. Every subsequent
> page the user views checks the status of this cookie and if it's a zero it
> kicks them back to the log in page. This cookie expires in 5 days and
> after that they'll have to log in again.
> I'm aware that this is terribly easy to circumvent by creating/modifying a
> cookie with the 1 value and the site thinks you've passed muster.
> What is a better way of doing this?
Use PHP session engine... and set:
$_SESSION['loggedIn'] = true;
Then you can check THAT value and they can't modify it.
Cheers,
Rob.
--
http://www.interjinn.com
Application and Templating Framework for PHP
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
