On Friday, June 7, 2002, at 12:32 PM, Jeff Field wrote:
> I'm under the impression that when I create the user > and password variables, the variables are only available in the session > cookie on my own server, not in the cookie that is sent to the user to > maintain sessions. The cookie sent to the user merely contains the > session > ID. Therefore, other than someone hijacking the session, I'm a little > unclear as to the security risk. Have I got this right? Exactly. Unless they had access to the server itself, where the session data is stored in a temporary file. So there are two vulnerabilities -- server compromise and cookie spoofing. But don't forget that without SSL, someone watching your client's port (or your server's port) will see the password in plaintext and get through that way. Watching a port is about as easy as anything I can think of. So for true security you'll need SSL. Erik ---- Erik Price Web Developer Temp Media Lab, H.H. Brown [EMAIL PROTECTED] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php