There really isn't a good way to do this, I think. Any time you're taking just a cookie, and using that data to assume who the user is, it's open to hijacking. I can sniff the cookie or maybe find a cross-site scripting bug to steal it, create the same cookie on my machine, and poof, i'm that user.
Now, if it's just for a forum, or something simple, then just do it. It's not worth worrying about someone hijacking my forum user. Anyway, the best way to create the unique id is to use uniqid() in combo with md5(). That'll give you a 32 character string that's hard to predict and isn't based on any of the user data. www.php.net/uniqid ---John Holmes... ----- Original Message ----- From: "Chad Day" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Tuesday, July 16, 2002 3:30 PM Subject: RE: [PHP] Sessions / logins / cookies / security > Anyone? Can someone at least point me to some web article for > recommendations? I saw some examples where a password variable was stored, > but is that really safe (as long as I MD5 it first?) > > Chad > > -----Original Message----- > From: Chad Day [mailto:[EMAIL PROTECTED]] > Sent: Tuesday, July 16, 2002 12:30 PM > To: [EMAIL PROTECTED] > Subject: [PHP] Sessions / logins / cookies / security > > > I asked something similar a little while ago, but didn't do a good job > clarifying. > > What I'm looking to do is when a user logs in, I start up the session.. I > then have the registered session var to verify they are authenticated as > they move throughout the site. > > Now, when they close the browser and come back, I want them to still be > authenticated. Obviously, I have to set a cookie. But what do I set? Do I > set just their user ID? The MD5 of their password? What's the most secure > way, that's not easily spoofed? I don't know that much about cookies, but > if I just use a user ID, couldn't someone just change that ID value and > 'become' another user? > > Thanks for any advice, > Chad > > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > > > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
