Firstly, you should ALWAYS use an encryption algorithm for passwords. For my site, I
used md5() and match with that. That way, even if someone does get a hold of the
encrypted password, it's not in their best interest (or maybe it is, if they're bored)
to crack it.
I haven't testing the following out, but it might work if someone wants to be a
smartass and type out
"index.php?user=admingod&pass=adminpass&[EMAIL PROTECTED]" in which they know
the info.
<?php
if(!empty($_GET)) {
header("Location: $PHP_SELF");
}
?>
Putting that at the top of the page would check to see if any information was sent to
the page from the $_GET superglobal, and if it was, reload the page without any URL
extensions. It sounds good in theory, though I haven't tested it, so it might not
work as I think it should (it NEVER does!).
My $20.00 (big mouth)
Martin Clifford
http://www.completesource.net (Now Open!)
>>> "Chad Day" <[EMAIL PROTECTED]> 07/10/02 04:09PM >>>
I am a little confused about storing stuff in cookies/sessions and how to
prevent spoofing of them.
A user logs in, his e-mail address or user id and password(md5'ed) is
checked against my database.
Assuming it matches, I then set a cookie with the users id + email.
What is to stop someone from spoofing that cookie? I obviously don't want
to put the password in a cookie .. can someone point me in the direction of
an article about this? I've searched around, but I'm not finding stuff
about in a preventing spoofing / security aspect.
Thanks,
Chad
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
