I know I'm late in on this thread but ....

Ignoring cookies is easy - just don't set them and don't use any data in
$_COOKIE[]... or am I missing your point?

$_COOKIE[] data should be treated with far more caution than $_SESSION[]
i.e. it should be treated as hostile data. If you really have to recognise
users coming back to your site after their session has timed out then store
the bare minimum in the cookie e.g. an encrypted User ID. You can then use
that to look up their information in a database table and deal with their
profile accordingly. Users can switch off cookie support at any time or
delete/tamper with cookies so don't make your code reliant on the stuff
stored in them...

In effect it is up to you what you save and process from persistent


Hash: SHA1

I'm not worried about them using the query string for malicious purposes- I
have register_globals off... I'm worried about someone messing with their
cookie and sedding authorized to true- that _will_ change my $_SESSION
variable, unless I can find some way to ignore cookies, which brings us back
to my original question- how do i ignore all client input, _especially_

PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to