RE: [PHP] session data vs cookie data

Wed, 30 Jan 2002 06:20:41 -0800 


> -----Original Message-----
> From: Erik Price [mailto:[EMAIL PROTECTED]]
> Sent: Wednesday, January 30, 2002 3:30 PM
> To: PHP
> Subject: [PHP] session data vs cookie data
> 
> 
> I have read elsewhere that depending on Cookie data for site 
> authentication is false economy, because Cookie data can be spoofed.
>

True 

> 
> I'm designing a login that auto-fills a person's name into a 
> field for 
> authentication (based on their $user_id, which is stored in 
> the cookie), 
> then they enter a password below that name and the fields are checked 
> against data stored in MySQL.  Standard authentication 
> system.  But from 
> that point onward, I'd like to use a session variable that 
> establishes 
> the user's legitimacy as having logged in, using the cookie 
> to store the 
> SESSID.
> 
> Barring the user spoofing the SESSID in the cookie, could 
> someone easily 
> fake legitimacy?  I would think not, since the session data 
> ("$logged_in = 1" or something similar) is not stored in the 
> cookie but 
> rather on the server.  But I just want to confirm.
>

It is possible to "steal" a session because a session_id is usually based on
a cookie. So I always store the IP, HTTP_X_FORWARD and USER_AGENT in the
session. And check them every page. 

kind regards,
Jerry

> 
> I should mention that I have register_globals = off in 
> php.ini (4.1.0 on 
> Linux).
> 
> 
> Thanks,
> Erik
> 
> 
> -- 
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
> To contact the list administrators, e-mail: 
> [EMAIL PROTECTED]
> 


The information contained in this email is confidential and
may be legally privileged. It is intended solely for the 
addressee. Access to this email by anyone else is 
unauthorized. If you are not the intended recipient, any 
form of disclosure, production, distribution or any action 
taken or refrained from in reliance on it, is prohibited and 
may be unlawful. Please notify the sender immediately.

The content of the email is not legally binding unless 
confirmed by letter bearing two authorized signatures.

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
























					Reply via email to