Posted by Rik Wasmus on 10/31/07 20:51

On Wed, 31 Oct 2007 21:30:58 +0100, Sanders Kaufman <bucky@kaufman.net> =
=

wrote:

> "floortje" <none@none.none> wrote in message
> news:4728dd4a$0$82384$dbd49001@news.wanadoo.nl...
>
>> I would have lotsa fun with this feature if I wasn't a nice guy. Even=
=

>> some
>> standard browsers let you manipulate cookies. You should also store a=

>> string to check the validity of the cookie and the last know ip adres=
s.
>>
>> Example
>> $supersercret=3D'mysectret';
>> $md5hash=3Dmd5($_SERVER[''REMOTE_ADDR].$username.$supersecret);
>> add this value to the cookie.
>>
>> on every page check if the md5hash of the username, ip and supersecre=
t
>> match the hd5hash in the cookie
>
> I use a "loginCookieValue" (UUID) in the users database.
> Every page-view gets a new one.
> That way - even if a would-be hacker steals a "session" for one page, =
it
> won't be good for the next.

Do you mean every arbitrary request will alter one and the same cookie, =
or =

every single path gets its own? Both have some drawbacks, mostly race / =
=

simultanious requests conditions (and a hacker gets a new one too) for t=
he =

first, people screaming they're 'logged out' when they haven't even logg=
ed =

in, but just request a previously unvisited page for the latter. But may=
be =

I'm looking at it wrong. Could you elaborate?
-- =

Rik Wasmus

[Back to original message]