On 12/2/05, Kevin Dangoor <[EMAIL PROTECTED]> wrote: > > On 12/2/05, Mike Orr <[EMAIL PROTECTED]> wrote: > > > > On 12/1/05, Jeff Watkins <[EMAIL PROTECTED]> wrote: > > > You're unlikely to need to worry about someone spoofing an identity > > > cookie. > > > This means it's unlikely that someone would be able to generate a valid > > > identity cookie. > > > > Can the identity cookie be used as a session identifier too then? Or > > can a session identifier be put into it? > > That could conveniently be done with, um, "p"''s suggested approach. > We could unify the cookie by having a single unit that keeps track of > the identity and session ID info.
Would it also work for sites that have sessions but not identities? Perhaps we could have a semi-autonomous "secure cookie" that can serve for both or either, or anything else we might want to put in it later. -- Mike Orr <[EMAIL PROTECTED]> ([EMAIL PROTECTED] address is semi-reliable)
