On Fri, May 30, 2003 at 11:01:26PM -0700, Evan Nemerson wrote:
Send a session ID to the user in a cookie, then lookup that ID in a database
on the server. It's extremely difficult to guess random session ID's (don't
just increment them!), and if you have a session timeout, you're pretty much
set.
That's true, and it is what most people do, but if you think about it the
session ID is then functionally equivalent to a crypt'd password for the
duration of your session; that is, either one allows you access to the site.
So if you were worried about folks sniffing an encrypted password and using
it to log in, you should be equally worried about folks sniffing a session ID
and using *it* to log in.
Dustin
--
Dustin Mitchell
[EMAIL PROTECTED]/[EMAIL PROTECTED]
http://people.cs.uchicago.edu/~dustin/
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php