On Monday, August 19, 2002, at 07:56 PM, Rasmus Lerdorf wrote: >> >> To conclude: Don't trade useful features for pseudo security. >> Removing this feature just increases the feeling of having a >> 'secure' site and decreases the desire to protect oneself by >> activating session.use_only_cookies. > > I do agree with that, I just wasn't convinced that it was a useful > feature.
To play devil's advocate, pure cookie based authentication is not a panacea. If you allow users to put things like javascript on your site, or if you have users who exploit ie bugs like the about: cookie domain bug from last year, cookies can be stolen and session hijacked. pure cookie auth is definitely a good thing, but does not provide safety in a number of 'real world' applications. George -- PHP Development Mailing List <http://www.php.net/> To unsubscribe, visit: http://www.php.net/unsub.php
