> > You shouldn't even have to do this. Just set a
> > variable to true and check for that. Why carry around the username
> > password??
> Well, I guess it's because I started with someone else's script, and
> my own from there. Not being a security expert, I assumed that they
> this for a reason.
> Are you saying that setting $_SESSION['logged_on'] after I've
> their login (once) is just as safe as $_SESSION['uid'],
Sure, why not? Users can't create session variables (unless you're on a
> Interesting stuff...
> So the real problem with sessions is hijacking the session ID, not
> $_SESSION vars.
Correct. The good thing with sessions is that they only last for as long
as the browser is open. So you can't come back and hijack a user. You'd
have to do it at the same time that the user is online.
> I guess I need to look into session hijacking next.
> >> So, how do you implement a "remember me" safely?
> > You don't, if you have anything to protect. If it's just for a forum
> > convenience and might just cause a little headache is someone's user
> > hijacked, then you can do it with a cookie.
> What about if the cookie was set under https / SSL
It makes it secure from sniffing... I don't think it would help for a
cross site scripting vulnerability, though...
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php