[snip] Can I trust every browser to check for old cookies on startup and eliminate them? And still, even if I can, wouldn't the cookie be intact to read on the harddrive until the browser is started again? I was thinking about slicing the username and password strings in two, and storing the halves in cookies and server sessions respectively, e.g.:
Username = Admin -> Cookieusername = Ad, Sessionusername = min Password = Secret -> Cookiepassword = Sec, Sessionpassword = ret [/snip] Never trust any program that is not running on your system. How do you know that your user is actually running a browser and not some self written program? So the most important lesson is never to trust anything that is not under your control.... You should never store the password in the cookie. Better is to send some sort of id as the cookie and use that id to retrieve some sort of database record for password comparison. That way the password user combination is always under your control. If you depend on tight security your best bet is to authenticate the user eachtime he reenters your page and not use cookies for authentication at all. This can be a pain but is by far the safest. Even better of course would be some certificate authentication. This could be very bothersome to program though. If you must save the password as a cookie ( I DO NOT RECOMMEND THIS AT ALL) at least encrypt it with a hash function like crypt using a different salt for each user. Then compare the hash value to a stored passwordhashvalue on your server. Regards Stefan Langer -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
