On Tue, 16 Apr 2002 14:51, Manuel Lemos did align ASCII characters thusly: > > > then stored in cookie. The security weakness of this method is that if > > > the secret key leaks, hackers may use to forge new sessions. > > > > Is this documented anywhere? > Anyway what part didn't you > understand?
I think I understand all of it. Serialization of a session (or session object) is fairly straightforward and I know how to store that in a cookie. I was just hoping there was a "cookbook" out there. Don't have any classes on your site that do this do you? ;-) > > > accesses to just one after the server is restarted. This is probably > > > the one you want to use as long you know how to deal with shared memory > > > and semaphores. > > > > Is this documented anywhere? > > Probably only in my mind . :-) Can I borrow it???? > I guess you mean HTTP based authentication. Yes. > No, AFAIK that is very > unsecure because you can't end a "session" because browsers cache > authenticated passwords and only drop them (of they do, IE may not do > it) when you quit your browser. If you leave your browser terminal for > some time, somebody may come in and take advantage of your account > privileges. The physical security of the users machine is their responsibility. I'm looking for good security, ease of implementation, and scalability. At the moment it seems to be a case of "pick any two". Brad -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php