On Fri, May 30, 2003 at 11:01:26PM -0700, Evan Nemerson wrote: > Send a session ID to the user in a cookie, then lookup that ID in a database > on the server. It's extremely difficult to guess random session ID's (don't > just increment them!), and if you have a session timeout, you're pretty much > set.
That's true, and it is what most people do, but if you think about it the session ID is then functionally equivalent to a crypt'd password for the duration of your session; that is, either one allows you access to the site. So if you were worried about folks sniffing an encrypted password and using it to log in, you should be equally worried about folks sniffing a session ID and using *it* to log in. Dustin -- Dustin Mitchell [EMAIL PROTECTED]/[EMAIL PROTECTED] http://people.cs.uchicago.edu/~dustin/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
