On Sun, 3 Oct 2004 13:11:00 -0700, Wendell Frohwein
> 10.) At wait.php, a cookie is set containing the user id, user name, and
> encrypted pass.

I don't know that I would set a cookie containing such easily
identifiable information, especially if the user name is cleartext. 
If your application is deciding whether or not your user is logged in
based on that cookie alone, I could see the potential for a hacker to
sniff it and use it to their advantage.  Just changing the names of
the variables to something a little more vague would help.

A few days ago on the php-general list, Chris Shiflett posted some
links to an article of his that addresses secure session validation,
you might want to have a look at it.  The name of the thread is
Session Variable Security.

PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to