On Thu, May 30, 2013 at 12:06:02PM -0400, Tedd Sperling wrote: > On May 29, 2013, at 11:05 PM, Paul M Foster <pa...@quillandmouse.com> > wrote: > >> http://sperling.com/php/authorization/log-on.php > > > > I realize this is example code. > > > > My question is, in a real application where that $_SESSION['auth'] > > token would be used subsequently to gain entry to other pages, what > > would you use instead of the simple TRUE/FALSE value? It seems that > > someone (with far more knowledge of hacking than I have) could > > rather easily hack the session value to change its value. But then > > again, I pretty much suck when it comes to working out how you'd > > "hack" (crack) things. > > > > Paul > > Paul: > > While the above link may be example code, it is still sound for > production. > > Keep in mind that everything in security comes down to a true/false > condition. Do you let the person in or not! > > Certainly there are attacks on session ids and one must deal with > that. But that's the level of security we have today. > > I could go through all the things you need to consider in protecting > your session id (e.g., not accessing your bank accounts while having > coffee at StartBucks) but that would defeat the purpose of attending > one of my classes on the subject. :-)
Yep, next time I'm up at the North Pole, I'll drop in and see you. Meantime, the beach is heating up. Better go get some more ice for my margueritas. [grin] Paul -- Paul M. Foster http://noferblatz.com http://quillandmouse.com -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
