Chris W. Parker wrote:
John Nichel <mailto:[EMAIL PROTECTED]> on Tuesday, October 21, 2003 3:50 PM said: 1. Create a random ID and store it with the users record in the db. 2. If the user chooses to be remembered, stick the random ID into a cookie. 3. When a user hits a login page, look for the cookie and retrieve it if it exists. 4. Query the db to find out which user that number belongs to. 5. Fill in the form with that users login name.
How do you protect against duplicates OR how do you create your random ID?
I just use php's rand() function to generate a 10 digit random number
Using uniqid() in conjunction with rand() gives you an even better random "number", although it's larger, at 32 characters. It's basically a similar method to how the session ID is created and you shouldn't get any duplicates (especially if you're cleaning up old info).
Here's a thought:
How about adding an abitrary number (let's say 241757219) to every users userid and then storing that number as the random id?
So let's say the first user comes along and is given the userid 1. We then create their random id by adding 241757219 to their userid. We get a random id of 241757220. Then within the login page I can subtract 241757219 from their random id and get their userid.
Since the userid will always be unique (auto-incrementing) it stands to reason that the random id (using the method above) will also always be unique while at the same time not making any sense to a potential attacker. (It could even be made more complicated but use the same method.)
How does that sound?
Sure. Since a potential 'hacker' doesn't know your base number, it would be pretty secure.
Not a good method. If I get on your site and see my cookie has the value 241757219 in it, I just need to subtract one from the number and revisit your site. Now I'm the user who registered before me. Using the rand() or uniqid() method above means I have to guess an entire random number / character sequence, which is going to be harder (or nearly impossible).
-- ---John Holmes...
Amazon Wishlist: www.amazon.com/o/registry/3BEXC84AB3A5E/
php|architect: The Magazine for PHP Professionals – www.phparch.com
-- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
