On Thu, 21 Jan 2010 22:00:30 +0000, a...@ashleysheridan.co.uk (Ashley Sheridan) 

>On Fri, 2010-01-22 at 08:58 +1100, clanc...@cybec.com.au wrote:
>> On Thu, 21 Jan 2010 08:54:44 -0500, tedd.sperl...@gmail.com (tedd) wrote:
>> >At 12:15 PM +1100 1/21/10, clanc...@cybec.com.au wrote:
>> >>On Wed, 20 Jan 2010 20:05:42 -0200, bsfaja...@gmail.com (Bruno Fajardo) 
>> >>wrote:
>> >>
>> >>  >Well, I hope this information is helpful.
>> >>
>> >>Yes, thanks to everyone who contributed.  I now have a better 
>> >>understanding of what
>> >>cookies are, and have turned on output buffering, enabling me to put 
>> >>the handler where I
>> >>want, and still be able to debug it.
>> >>
>> >>Clancy
>> >
>> >One last thing.
>> >
>> >I use sessions for the storage of variables I need between pages, but 
>> >I use cookies to leave data on the user's computer in case they come 
>> >back to my site and want to pick up where they left off.
>> >
>> >Both operations store variables, but are for different purposes.
>> Yes; I'm doing that too.  I am setting up a private website, and using 
>> cookies to control
>> access to it.
>> Clancy
>Don't use cookies, use sessions for this. Information stored in cookies
>is susceptible to being read by pretty much anyone, hence the scare of
>using cookies that people get. Cookies in themselves are not the
>problem, but using them for anything you want to keep safe, like login
>details, etc, is a bad idea. Generally, a session ID is stored in the
>cookie, which gives nothing away to anyone trying to read it.

Thank you all for your comments.

My reasoning in using a cookie for user recognition, rather than relying on the 
ID, was that with a cookie I could ensure that the connection effectively 
lasted for some
specified period, whereas the session ID lifetime seems to be somewhat short and
ill-defined.  In this way I can be sure that the user will not be logged out 
The actual value of the cookie I use is an MD5 hash of some user information 
with an
additional random component, so that it would be extremely difficult to extract 
useful from it.  It could equally be a random number, as it is verified by 
matching with a
value stored on the server.  I am also considering changing it every so often 
hour?) while the user is logged in, so that an old value would be useless to a 

At present I am using a normal text window for the user to log in, and I 
suspect that this
is by far the weakest link in the system.  The website is relatively obscure, 
and there is
nothing particularly valuable on it, but I would be grateful for any 
suggestions how I
could make this procedure more secure.

PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to