Stanislav Malyshev wrote: >> The session store is just a session store. It is not a >> login/authentication mechanism and thus doesn't have any of the >> protections you might want to add to that. Therefore a separate >> authentication cookie is needed that can separate the two concepts > > I don't see how it's "therefore". Yes, session is just a storage. But > how you derive from it that authentication information can not be stored > in this storage and how the separate cookie is helping you in any way > make it more secure?
Because you don't have full control over the session cookie since it is generated by PHP. For an authentication cookie you want to layer other application-specific checks on top of it. -Rasmus -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
