I'd appreciate some opinions about security & user IDs. My site has a registration process in which people use their email addresses as login names and also have a password.
The user database has a user ID field with a unique identifier for each user and this is used as a session variable to identify them as they move around the site. If they want to do anything sensitive, they have to enter their password as well (eg, to post or delete a message on a notice board). At the moment, this user ID is simply an auto-increment integer, so a user ID could be '5' or '19'. Is this sufficiently secure? It's fairly easy to spoof, but if people have to enter a password as well to do anything critical, isn't that enough? An alternative would be to generate a hard-to-guess user ID using md5 and uniqid, but I just wondered if that's over the top. All opinions welcome. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php