Posted by Sanders Kaufman on 11/01/07 18:38

(Top-posting because replying to your message didn't bring the > quotes in.
Hmmm)

I mean
1. Every page gets a PHP session.
2. Every session in which creds are validated gets a UUID cookie value.
3. Every subsequent page request gets and sets a new UUID.

The cookie format is IP-UUID-UUID-UUID-UUID.

If you spoof the IP (easy enough) and UUID (very tough) you can still get
customized content.
But to get at secure data, you have to login to the session.

My thing here is that I have various levels of "logged in".
There's logging in to the site. (cookie)
Then there's logging in to access secure data. (session)
Then there's logging in to access webmaster stuff. (https/session).

If you're gonna use cookies to do logins, that's the best way.




"Rik Wasmus" <luiheidsgoeroe@hotmail.com> wrote in message
news:op.t02xjrnc5bnjuv@metallium.lan...
On Wed, 31 Oct 2007 21:30:58 +0100, Sanders Kaufman <bucky@kaufman.net>

> I use a "loginCookieValue" (UUID) in the users database.
> Every page-view gets a new one.
> That way - even if a would-be hacker steals a "session" for one page, it
> won't be good for the next.

Do you mean every arbitrary request will alter one and the same cookie, or
every single path gets its own? Both have some drawbacks, mostly race /
simultanious requests conditions (and a hacker gets a new one too) for the
first, people screaming they're 'logged out' when they haven't even logged
in, but just request a previously unvisited page for the latter. But maybe
I'm looking at it wrong. Could you elaborate?
--
Rik Wasmus

[Back to original message]