> > My login script sets unique, secure, cookies that identify the user. > > Some of my pages only display content if a secure cookie is present. > > Is this a bad idea for secure pages with sensitive details as I have > > heard that cookies can be faked? I am always interested in creating a > > secure environment for my website visitors and I want to make sure I > > am protecting their privacy. Any help on this matter is greatly > > appreciated. > > I would suggest tying your cookies to an IP. This makes it MUCH harder > for a cracker to use the cookie. You may just want to search for "PHP > secure cookies" on google.
As well as much harder for AOL subscribers (whose IP's change per-request) to use the site. Cookies are easy to fake. In most cases, though, the cost (to an intruder) of interfering with a user session far outweighs the benefit. This is why most e-commerce sites are pretty lax about security while you browse, and why they immediately switch to SSL when you decide to pay. Consider the potential damage done to your users or the sensitivity of the information you're transmitting, and you may decide to go with SSL. --------------------------------------------------------------------- michal migurski- contact info and pgp key: sf/ca http://mike.teczno.com/contact.html -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
