You wrote: "i´m not sure if using the user id is save enough. could it be possible that someone changes the cookie value to another user id ? or does the session somehow provides security to this? "
I thought it was relatively safe; however, I did find a site that suggested otherwise: http://www.sitepoint.com/article/php-security-blunders "Session ID hijacking can be a problem with PHP Websites. The PHP session tracking component uses a unique ID for each user's session, but if this ID is known to another user, that person can hijack the user's session and see information that should be confidential. Session ID hijacking cannot completely be prevented; you should know the risks so you can mitigate them. For instance, even after a user has been validated and assigned a session ID, you should revalidate that user when he or she performs any highly sensitive actions, such as resetting passwords. Never allow a session-validated user to enter a new password without also entering their old password, for example. You should also avoid displaying truly sensitive data, such as credit card numbers, to a user who has only been validated by session ID." I'm not sure if Cake does anything to mitigate this risk, or how much of a risk it actually is. I'd like to hear more about it myself, if someone is more knowledgeable about how sessions work. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Cake PHP" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/cake-php -~----------~----~----~----~------~----~------~--~---
