Thread: Logging into ChiefDelphi.com question
View Single Post
  #6   Spotlight this post!  
Unread 27-05-2004, 21:33
evulish's Avatar
evulish evulish is offline
1010100
AKA: Grant Harding
#0084 (WATTNESS (bot: Chuck))
Team Role: Alumni
  
Join Date: Jul 2002
Location: Towanda/Wysox, PA
Posts: 1,434
evulish is just really niceevulish is just really niceevulish is just really niceevulish is just really nice
Send a message via AIM to evulish
Re: Logging into ChiefDelphi.com question
If what you're doing is trying to do a log-in system, don't depend on the cookie information to be sent from you. People can write their own cookies. Say there were two users.. billybob and jimmyjoe. If billybob signs in, and you set a cookie to 'user=billybob,' jimmyjoe could come along and write his own cookie that says 'user=billybob' allowing him to bypass any password. A common plan is to assign a user-id string when the person logs in. Store it in a database along with the rest of the users information and in his cookie. Then when he accesses the page again, check the database for that unique id. It's not super-ultra-mega secure. But it's exponentially better than using the login name as the method to check. Hope that helps, or even relates to what you're trying to do (Maybe it'll help some other random soul.. *shrug*)
__________________
I'm a professional web developer. I'm good with PHP, Perl, Java/JSP, some RoR, XML, Javascript (AJAX as well), (x)HTML, CSS, etc.. Validated code is good; fully cross-browser code is better (you comply to your users and the software they use, not the other way around. Sorry!)