What I have done in the past is create a session variable that tells me that
the person using that session is valid.  It's really really hard to spoof a
session variable.  I did it this way after awhile since the original way
that I did it was by checking their username/password in the session on
every page hit.. Which when I have over a million hits per day begins to
wear on the database..

So far using a session variable is the best way that I have found.



"Too much caution is bad for you. By avoiding things you fear, you may let
yourself in for unhappy consequences. It is usually wiser to stand up to a
scary-seeming experience and walk right into it, risking the bruises as hard
knocks. You are likely to find it is not as tough as you had thought.  Or
you may find it plenty tough, but also discover you have what it takes to
handle it." - Norman Vincent Peale

> From: "Chad Day" <[EMAIL PROTECTED]>
> Date: Wed, 10 Jul 2002 16:09:53 -0400
> Subject: [PHP] Dumb session / cookie / password questions
> I am a little confused about storing stuff in cookies/sessions and how to
> prevent spoofing of them.
> A user logs in, his e-mail address or user id and password(md5'ed) is
> checked against my database.
> Assuming it matches, I then set a cookie with the users id + email.
> What is to stop someone from spoofing that cookie?  I obviously don't want
> to put the password in a cookie .. can someone point me in the direction of
> an article about this?  I've searched around, but I'm not finding stuff
> about in a preventing spoofing / security aspect.
> Thanks,
> Chad
> -- 
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php

PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to