I'd appreciate some opinions about security & user IDs.

My site has a registration process in which people use their email addresses
as login names and also have a password.

The user database has a user ID field with a unique identifier for each user
and this is used as a session variable to identify them as they move around
the site. If they want to do anything sensitive, they have to enter their
password as well (eg, to post or delete a message on a notice board).

At the moment, this user ID is simply an auto-increment integer, so a user
ID could be '5' or '19'. Is this sufficiently secure? It's fairly easy to
spoof, but if people have to enter a password as well to do anything
critical, isn't that enough?

An alternative would be to generate a hard-to-guess user ID using md5 and
uniqid, but I just wondered if that's over the top.

All opinions welcome.

PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to