well, first off, you should md5 the cookie value or something to avoid
having the value correlate directly with your system values.
I like to use at least one level of "shift" in apps, to make sure that user
input is never taken verbatim.
-alex
--
Alex Black, Head Monkey
[EMAIL PROTECTED]
The Turing Studio, Inc.
http://www.turingstudio.com
vox+510.666.0074
fax+510.666.0093
Saul Zaentz Film Center
2600 Tenth St Suite 433
Berkeley, CA 94710-2522
> From: [EMAIL PROTECTED] ("Toby Butzon")
> Newsgroups: php.general
> Date: 24 Jan 2001 14:10:40 -0800
> Subject: Re: [PHP] Cookie semi-security.
>
> Enable track_vars in php's config and use
> $PHP_COOKIE_VARS['cookie_id'] to get the value of the
> cookie.
>
> --Toby
>
> ----- Original Message -----
> From: "April" <[EMAIL PROTECTED]>
> To: "PHP General" <[EMAIL PROTECTED]>
> Sent: Wednesday, January 24, 2001 5:06 PM
> Subject: [PHP] Cookie semi-security.
>
>
>> Stupid question, but I'm stumped.
>>
>> I'm passing a persons id through a cookie, then using that
> to determine if
>> they're allowed to be doing what they're trying to do
> (change listings,
>> etc.). Right now, I'm getting the value of the cookie by
> just accessing
>> $cookie_id, without anything fancy. The problem is, if
> someoen just denies a
>> cookie and adds ?cookie_id=9 at the end, they might as
> well be the person
>> with an id of 9. Is there a way for me to check and be
> sure that that
>> value came from a cookie, and not the url bar?
>>
>>
>> --
>> PHP General Mailing List (http://www.php.net/)
>> To unsubscribe, e-mail:
> [EMAIL PROTECTED]
>> For additional commands, e-mail:
> [EMAIL PROTECTED]
>> To contact the list administrators, e-mail:
> [EMAIL PROTECTED]
>>
>>
>
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
> To contact the list administrators, e-mail: [EMAIL PROTECTED]
>
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
