As I said, over the years I've done both, and this is what I've
settled on as the most practical.
Then you should have learned by now that verifying your
data's integrity is a mandatory task when designing any
client-side session system. Otherwise, attackers can inject
any kind of data into your system where the falsified data
will be viewed as 'trusted'.
Once you add the integrity check, you have also eliminated
the possibility that arbitrary classes could be instantiated.
- Sascha
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
