> -----Original Message----- > From: Tijnema ! [mailto:[EMAIL PROTECTED] > Sent: Monday, April 09, 2007 5:38 PM > To: Martin Marques > Cc: Ólafur Waage; php-general@lists.php.net > Subject: Re: [PHP] Session Authentication > > On 4/9/07, Martin Marques <martin@bugs.unl.edu.ar> wrote: > > Tijnema ! escribió: > > > On 4/9/07, Martin Marques <martin@bugs.unl.edu.ar> wrote: > > >> > > >> Yes: > > >> > > >> Don't use transparent session id, or even better, save the > > >> authentication in a cookie on the client (seperated from the session > > >> array). > > > > > > And then the user would crack the cookie .... > > > I know they are encrypted, but trust me, cookies can be edited. > > > > So what? The user authenticated himself, so what is he gonna crack? > Yes, but i guess you're not only storing if the user has > authenticated, also storing a username? > > And if that's not the case, then you could authenticate by creating a > cookie where it says authenticated = yes, and you're authenticated... > > Tijnema > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php
[Peter Lauri - DWS Asia] If cookies were that unsecured so you could create your own cookies that easily, then would cookies exist? Best regards, Peter Lauri www.dwsasia.com - company web site www.lauri.se - personal web site www.carbonfree.org.uk - become Carbon Free -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
