I have read elsewhere that depending on Cookie data for site
authentication is false economy, because Cookie data can be spoofed.
I'm designing a login that auto-fills a person's name into a field for
authentication (based on their $user_id, which is stored in the cookie),
then they enter a password below that name and the fields are checked
against data stored in MySQL. Standard authentication system. But from
that point onward, I'd like to use a session variable that establishes
the user's legitimacy as having logged in, using the cookie to store the
SESSID.
Barring the user spoofing the SESSID in the cookie, could someone easily
fake legitimacy? I would think not, since the session data
("$logged_in = 1" or something similar) is not stored in the cookie but
rather on the server. But I just want to confirm.
I should mention that I have register_globals = off in php.ini (4.1.0 on
Linux).
Thanks,
Erik
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
