Em Segunda 09 Abril 2007 12:37, Tijnema ! escreveu:
> On 4/9/07, Martin Marques <martin@bugs.unl.edu.ar> wrote:
> > Tijnema ! escribió:
> > > On 4/9/07, Martin Marques <martin@bugs.unl.edu.ar> wrote:
> > >> Yes:
> > >>
> > >> Don't use transparent session id, or even better, save the
> > >> authentication in a cookie on the client (seperated from the session
> > >> array).
> > >
> > > And then the user would crack the cookie ....
> > > I know they are encrypted, but trust me, cookies can be edited.
> >
> > So what? The user authenticated himself, so what is he gonna crack?
>
> Yes, but i guess you're not only storing if the user has
> authenticated, also storing a username?
>
> And if that's not the case, then you could authenticate by creating a
> cookie where it says authenticated = yes, and you're authenticated...
>
> Tijnema
... and we get a security crater... =]
--
Davi Vidal
[EMAIL PROTECTED]
[EMAIL PROTECTED]
--
Agora com fortune:
"Crito, I owe a cock to Asclepius; will you remember to pay the debt?
-- Socrates' last words"
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
