Posted by Sanders Kaufman on 10/31/07 20:30

"floortje" <none@none.none> wrote in message
news:4728dd4a$0$82384$dbd49001@news.wanadoo.nl...

> I would have lotsa fun with this feature if I wasn't a nice guy. Even some
> standard browsers let you manipulate cookies. You should also store a
> string to check the validity of the cookie and the last know ip adress.
>
> Example
> $supersercret='mysectret';
> $md5hash=md5($_SERVER[''REMOTE_ADDR].$username.$supersecret);
> add this value to the cookie.
>
> on every page check if the md5hash of the username, ip and supersecret
> match the hd5hash in the cookie

I use a "loginCookieValue" (UUID) in the users database.
Every page-view gets a new one.
That way - even if a would-be hacker steals a "session" for one page, it
won't be good for the next.

[Back to original message]