John W. Holmes wrote: <snip>
Chris W. Parker wrote:Here's a thought:
How about adding an abitrary number (let's say 241757219) to every users userid and then storing that number as the random id?
So let's say the first user comes along and is given the userid 1. We then create their random id by adding 241757219 to their userid. We get a random id of 241757220. Then within the login page I can subtract 241757219 from their random id and get their userid.
Since the userid will always be unique (auto-incrementing) it stands to reason that the random id (using the method above) will also always be unique while at the same time not making any sense to a potential attacker. (It could even be made more complicated but use the same method.)
How does that sound?
Sure. Since a potential 'hacker' doesn't know your base number, it would be pretty secure.
Not a good method. If I get on your site and see my cookie has the value 241757219 in it, I just need to subtract one from the number and revisit your site. Now I'm the user who registered before me. Using the rand() or uniqid() method above means I have to guess an entire random number / character sequence, which is going to be harder (or nearly impossible).
Oh sure, figure out a way to circumvent this. What the hell are you trying to do, help people here? hehe
-- By-Tor.com It's all about the Rush http://www.by-tor.com
-- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
