------------------------------------------------ On Wed, 17 Sep 2003 20:33:00 -0800, "Alejandro Chavarria - CyPage" <[EMAIL PROTECTED]> wrote:
> Hey, > > I have a script and I want to allow an administrator log on to it. Once > logged in they can change things... etc. Basically stuff I don't want other > people to be able to do. I have decided that cookies is the best way to go. > I've been looking and looking on the internet for a way to add a "logout" > button in the script that will delete the cookie that has the username and > password so they are essentially logged out. I have read that you can fill > in the "expires" field in with 1. a date in the past (ie. -1d) or 2. the > word "now". I have heard about problems with both these methods. > > What do you suggest? > In general I would reset the cookie to the empty string with no expiration date, and then on the other end your check should be that the cookie exists *and* has a correct value. Then make the "correct" value very hard (because nothing is 100% secure) to figure out how to generate. In other words hash it with a secret key or some such that only the server has. So the cookie exists but the check fails, and as soon as the session ends the cookie is no longer stored. http://danconia.org -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
