I think it's the responsibility of whomever is holding the key (ie, the username and password). When a user logs into my site, I put their username and password in a cookie. I then check those cookies to allow them access to membership only parts of the site. It is thus their responsibility to keep people from accessing the cookies on their machine. If I don't put the username and password on their machine and just use a session id, now the responsibility is in my hands.
J. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php