I have read elsewhere that depending on Cookie data for site 
authentication is false economy, because Cookie data can be spoofed.

I'm designing a login that auto-fills a person's name into a field for 
authentication (based on their $user_id, which is stored in the cookie), 
then they enter a password below that name and the fields are checked 
against data stored in MySQL.  Standard authentication system.  But from 
that point onward, I'd like to use a session variable that establishes 
the user's legitimacy as having logged in, using the cookie to store the 

Barring the user spoofing the SESSID in the cookie, could someone easily 
fake legitimacy?  I would think not, since the session data 
("$logged_in = 1" or something similar) is not stored in the cookie but 
rather on the server.  But I just want to confirm.

I should mention that I have register_globals = off in php.ini (4.1.0 on 


PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]

Reply via email to