I know I'm late in on this thread but .... Ignoring cookies is easy - just don't set them and don't use any data in $_COOKIE[]... or am I missing your point?
$_COOKIE[] data should be treated with far more caution than $_SESSION[] i.e. it should be treated as hostile data. If you really have to recognise users coming back to your site after their session has timed out then store the bare minimum in the cookie e.g. an encrypted User ID. You can then use that to look up their information in a database table and deal with their profile accordingly. Users can switch off cookie support at any time or delete/tamper with cookies so don't make your code reliant on the stuff stored in them... In effect it is up to you what you save and process from persistent cookies... HTH Rich -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I'm not worried about them using the query string for malicious purposes- I have register_globals off... I'm worried about someone messing with their cookie and sedding authorized to true- that _will_ change my $_SESSION variable, unless I can find some way to ignore cookies, which brings us back to my original question- how do i ignore all client input, _especially_ cookies?? -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
