HOME Community Articles Code Library People Mail Archive My Account Contribute PHP Jobs

Open Source Database Feature Comparison Matrix Try Declarative Programming with Annotations and Aspects Locate All Stored Procedures and Their Objects/SQL Tables Building a Stored Procedure Generator Making Tables Read-only in Oracle

24-hour Support Daily Backup Dedicated Servers JSP/Java Servlets PHP MySQL Streaming Audio/Video Telnet/SSH Unix Hosting 24-hour Support

From: Klaus Seidenfaden (ks <email protected>)
Date: 05/02/01

• Next message: Vivek Kumar Agrawal: "[phplib] Connecting Sybase thru PHP using ct lib"
• Previous message: D. Sebastien Taggart: "[phplib] cookie security"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

D. Sebastien Taggart wrote:

>Is it unwise to update the session as opposed to destroying it and creating
>a new one, carrying over the vars server side where I can validate them
>(double validate) just in case the user tampered with her cookie?

If it is just a session cookie (it is, if it is generated by page_open()), it only contains the session id. Variables stay in a database, server-side. Session ids are md5 hashes of a quasi-random value, so it is highly unlikely that someone can sneak into somebody else's session by tampering with the session id. Also, I believe session cookies are kept in memory, so they shouldn't be accessible for tampering (but there's always the query string, of course).

So what I'm saying is: Just reuse the session. But then again, I'm a newbie myself, so don't trust me one bit! :-)

-- Klaus.

---------------------------------------------------------------------
To unsubscribe, e-mail: phplib-unsubscribe <email protected>
For additional commands, e-mail: phplib-help <email protected>

• Next message: Vivek Kumar Agrawal: "[phplib] Connecting Sybase thru PHP using ct lib"
• Previous message: D. Sebastien Taggart: "[phplib] cookie security"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]