on 17/07/02 12:35 PM, John Holmes ([EMAIL PROTECTED]) wrote: > You shouldn't even have to do this. Just set a $_SESSION['logged_on'] > variable to true and check for that. Why carry around the username and > password??
Well, I guess it's because I started with someone else's script, and built my own from there. Not being a security expert, I assumed that they did this for a reason. Are you saying that setting $_SESSION['logged_on'] after I've validated their login (once) is just as safe as $_SESSION['uid'], $_SESSION['pwd'] ? Interesting stuff... So the real problem with sessions is hijacking the session ID, not fake $_SESSION vars. I guess I need to look into session hijacking next. >> So, how do you implement a "remember me" safely? > > You don't, if you have anything to protect. If it's just for a forum or > convenience and might just cause a little headache is someone's user is > hijacked, then you can do it with a cookie. What about if the cookie was set under https / SSL > Why do people insist on it being something related to the username and > password. Just use uniqid() and md5() to create a unique id for the use, > save it in their table, and use that in the cookie. If you base it off > of something, it makes it easier to crack... Good point. Thanks for your advice. Justin French -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
