On Sun, 2008-10-19 at 19:12 -0500, Micah Gersten wrote: > Don't use cookies, use sessions. > > Thank you, > Micah Gersten > onShore Networks > Internal Developer > http://www.onshore.com > > > > Ben Stones wrote: > > I've read a few videos on cookie security and it makes sense that people can > > modify cookie values which is a problem I'm trying to figure out to *try* > > and prevent. What I'll first do is at the top of the page that validates if > > the cookie values is in the database, but what my next problem is they'd use > > usernames in the database as the vaues. Are there any preventable measures > > to prevent cookie forging or what not. > > > > Thanks. > > > > > Yeah, sessions are the way to go with this. They are (more often than not) just special cookies themselves, and the only bit of information stored is the session id in the cookie, and the rest is stored in server memory (or sometimes a text file on the server.) The chances of someone forging this is much less, and if you use sessions with https then this is reduced much more, but at the end of the day, nothing is foolproof... Ash www.ashleysheridan.co.uk -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php