On Sun, 3 Oct 2004 13:11:00 -0700, Wendell Frohwein <wendell@xxxxxxxxxxxx> wrote: > 10.) At wait.php, a cookie is set containing the user id, user name, and > encrypted pass. I don't know that I would set a cookie containing such easily identifiable information, especially if the user name is cleartext. If your application is deciding whether or not your user is logged in based on that cookie alone, I could see the potential for a hacker to sniff it and use it to their advantage. Just changing the names of the variables to something a little more vague would help. A few days ago on the php-general list, Chris Shiflett posted some links to an article of his that addresses secure session validation, you might want to have a look at it. The name of the thread is Session Variable Security. -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
