> -----Message d'origine----- > De : Tijnema ! [mailto:[EMAIL PROTECTED] > Envoyé : lundi 9 avril 2007 17:55 > À : Peter Lauri > Cc : Martin Marques; Ólafur Waage; [EMAIL PROTECTED] > Objet : Re: [PHP] Session Authentication > > On 4/9/07, Peter Lauri <[EMAIL PROTECTED]> wrote: > > > > > > > -----Original Message----- > > > From: Tijnema ! [mailto:[EMAIL PROTECTED] > > > Sent: Monday, April 09, 2007 5:38 PM > > > To: Martin Marques > > > Cc: Ólafur Waage; [EMAIL PROTECTED] > > > Subject: Re: [PHP] Session Authentication > > > > > > On 4/9/07, Martin Marques <[EMAIL PROTECTED]> wrote: > > > > Tijnema ! escribió: > > > > > On 4/9/07, Martin Marques <[EMAIL PROTECTED]> wrote: > > > > >> > > > > >> Yes: > > > > >> > > > > >> Don't use transparent session id, or even better, save the > > > > >> authentication in a cookie on the client (seperated from the > > > > >> session array). > > > > > > > > > > And then the user would crack the cookie .... > > > > > I know they are encrypted, but trust me, cookies can > be edited. > > > > > > > > So what? The user authenticated himself, so what is he > gonna crack? > > > Yes, but i guess you're not only storing if the user has > > > authenticated, also storing a username? > > > > > > And if that's not the case, then you could authenticate > by creating > > > a cookie where it says authenticated = yes, and you're > authenticated... > > > > > > Tijnema > > > > > > -- > > > PHP General Mailing List (http://www.php.net/) To unsubscribe, > > > visit: http://www.php.net/unsub.php > > > > [Peter Lauri - DWS Asia] > > > > If cookies were that unsecured so you could create your own cookies > > that easily, then would cookies exist? > > > > Best regards, > > Peter Lauri > > Cookies are old, so in the time they were introduced, today > it is possible to create and modify cookies with some good > tools. These tools are illegal, but every cracker is 99% > illegal right? But that means i can't give you these tools to > proof it, but it is possible. > > Tijnema
Whatever, really your bosting for nothing IMO, ethereal is available to everyone for sniffing cookie info, so is firefox cookie editor, and http live headers... What is so "hideous" about these tools? I use all of them to trouble shoot my websites while under developpment... Really the way to securing web application is learning to hack them or learning what hacks are possible.. And stop feeling superior sir! Regards, Tim -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
