You really want a separate and distinct signed authentication cookie that has nothing to do with the session. The stored session should indicate which logged in user the session belongs to, but it should never ever be used as the sole authentication cookie. That's what I meant by a separate authentication layer.
Could you explain why? If you can steal session cookie, you definitely could steal any other cookie too. So stealing-wise, nothing is gained by using separate cookie. Signing would help you to know the cookie is from you, but I don't see how it's going to help you to know the cookie belongs to whoever is attempting to use it. Could you elaborate?
-- Stanislav Malyshev, Zend Products Engineer [EMAIL PROTECTED] http://www.zend.com/ -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
