> > You shouldn't even have to do this. Just set a
> > variable to true and check for that. Why carry around the username
> > password??
> Well, I guess it's because I started with someone else's script, and
> my own from there.  Not being a security expert, I assumed that they
> this for a reason.
> Are you saying that setting $_SESSION['logged_on'] after I've
> their login (once) is just as safe as $_SESSION['uid'],
$_SESSION['pwd'] ?

Sure, why not? Users can't create session variables (unless you're on a
virtual server...)

> Interesting stuff...
> So the real problem with sessions is hijacking the session ID, not
> $_SESSION vars.

Correct. The good thing with sessions is that they only last for as long
as the browser is open. So you can't come back and hijack a user. You'd
have to do it at the same time that the user is online.
> I guess I need to look into session hijacking next.
> >> So, how do you implement a "remember me" safely?
> >
> > You don't, if you have anything to protect. If it's just for a forum
> > convenience and might just cause a little headache is someone's user
> > hijacked, then you can do it with a cookie.
> What about if the cookie was set under https / SSL

It makes it secure from sniffing... I don't think it would help for a
cross site scripting vulnerability, though...

---John Holmes...

PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to