The first thing to do is to set your scripts to not allow session handling to be carried out through the URL if a person's browser won't accept cookies. It would be way too easy to change the ID. And also if the id numbers are sequential, you might also want to have a second, random identifier that is also a session variable. Thus you not only have the users id, but a random value that acts as a sort of password. This way there is more that a person attacking your script would have to do than simply changing the id number.
Just some suggestions. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
