 |
 |
 |
 |
|
|
Date: 05/02/01
- Next message: Klaus Seidenfaden: "Sv: [phplib] cookie security"
- Previous message: Klaus Seidenfaden: "Sv: [phplib] I need relogin ? (part 2)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Hello all,
I have a newbie question about security...
A user hits my page, a cookie gets passed. I have it set up so that the
session ID doesn't change even after the user logs in (so I can keep track
of vars they might have picked up in the "public" section of the site, such
as "last_search"). In other words, the session gets updated in the database
to say "This user is no longer a guest, she is now a logged in user"
The question I have is this:
Is it unwise to update the session as opposed to destroying it and creating
a new one, carrying over the vars server side where I can validate them
(double validate) just in case the user tampered with her cookie?
Another way of putting this is:
How much do we have to worry about a cookie being tampered with to give the
user freedom she shouldn't have?
I suppose this isn't even PHPlib specific per say, so I guess I'm looking
for comments from anyone.
Thanks in advance for any insite anyone can offer.
-Sebastien
---------------------------------------------------------------------
To unsubscribe, e-mail: phplib-unsubscribe <email protected>
For additional commands, e-mail: phplib-help <email protected>
- Next message: Klaus Seidenfaden: "Sv: [phplib] cookie security"
- Previous message: Klaus Seidenfaden: "Sv: [phplib] I need relogin ? (part 2)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]