Erik Price wrote:
> I have read elsewhere that depending on Cookie data for site
> authentication is false economy, because Cookie data can be spoofed.
>
> I'm designing a login that auto-fills a person's name into a field for
> authentication (based on their $user_id, which is stored in the cookie),
> then they enter a password below that name and the fields are checked
> against data stored in MySQL. Standard authentication system. But from
> that point onward, I'd like to use a session variable that establishes
> the user's legitimacy as having logged in, using the cookie to store the
> SESSID.
>
> Barring the user spoofing the SESSID in the cookie, could someone easily
> fake legitimacy?
No.
Can it be done? Yes. "Easily"? No. The default sessid is 32
characters of 36 (a-z0-9). Maybe it's even upper and lowercase, meaning
62 (a-zA-Z0-9). That's 32 ^ 36 combinations. Or is it 36 ^ 32
combinations? Either way, it's a big number of possible session IDs to
try to hack at.
I remember back in the day when a shop I was at first started using ASP,
they were all geeked about some GUID maker that would *guarantee* unique
IDs - it would supposedly never generate the same ID twice, ever. I
argued with them about that, in that, unless the string it returns can
be infinite (it can't, due to memory constraints), there's always a
SLIGHT chance of getting the same GUID repeated at some point. For some
reason, they didn't believe me.
The chances are slight that someone could change a cookie and fake a
different session ID. Chances of getting a 'live' one? Very slim, ime.
> I would think not, since the session data ("$logged_in
> = 1" or something similar) is not stored in the cookie but rather on the
> server. But I just want to confirm.
>
> I should mention that I have register_globals = off in php.ini (4.1.0 on
> Linux).
>
Michael Kimsal
http://www.tapinternet.com/php
PHP Training Courses
734-480-9961
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
