> > You shouldn't even have to do this. Just set a $_SESSION['logged_on'] > > variable to true and check for that. Why carry around the username and > > password?? > > Well, I guess it's because I started with someone else's script, and built > my own from there. Not being a security expert, I assumed that they did > this for a reason. > > Are you saying that setting $_SESSION['logged_on'] after I've validated > their login (once) is just as safe as $_SESSION['uid'], $_SESSION['pwd'] ?
Sure, why not? Users can't create session variables (unless you're on a virtual server...) > Interesting stuff... > > So the real problem with sessions is hijacking the session ID, not fake > $_SESSION vars. Correct. The good thing with sessions is that they only last for as long as the browser is open. So you can't come back and hijack a user. You'd have to do it at the same time that the user is online. > > I guess I need to look into session hijacking next. > > > >> So, how do you implement a "remember me" safely? > > > > You don't, if you have anything to protect. If it's just for a forum or > > convenience and might just cause a little headache is someone's user is > > hijacked, then you can do it with a cookie. > > What about if the cookie was set under https / SSL It makes it secure from sniffing... I don't think it would help for a cross site scripting vulnerability, though... ---John Holmes... -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php