Thread: Logging into ChiefDelphi.com question
View Single Post
  #7   Spotlight this post!  
Unread 30-05-2004, 09:27
Raven_Writer's Avatar
Raven_Writer Raven_Writer is offline
2004 Detroit & Pittsburgh Winners
AKA: Eric Hansen
FRC #0005 (RoboCards)
Team Role: Mentor
  
Join Date: Jan 2003
Rookie Year: 2002
Location: Melvindale
Posts: 1,549
Raven_Writer is just really niceRaven_Writer is just really niceRaven_Writer is just really niceRaven_Writer is just really niceRaven_Writer is just really nice
Send a message via ICQ to Raven_Writer Send a message via AIM to Raven_Writer Send a message via MSN to Raven_Writer Send a message via Yahoo to Raven_Writer
Re: Logging into ChiefDelphi.com question
Quote:
Originally Posted by evulish
If what you're doing is trying to do a log-in system, don't depend on the cookie information to be sent from you. People can write their own cookies. Say there were two users.. billybob and jimmyjoe. If billybob signs in, and you set a cookie to 'user=billybob,' jimmyjoe could come along and write his own cookie that says 'user=billybob' allowing him to bypass any password. A common plan is to assign a user-id string when the person logs in. Store it in a database along with the rest of the users information and in his cookie. Then when he accesses the page again, check the database for that unique id. It's not super-ultra-mega secure. But it's exponentially better than using the login name as the method to check. Hope that helps, or even relates to what you're trying to do (Maybe it'll help some other random soul.. *shrug*)
I was reading about how bad cookies were usually past couple of days. Now, I've switched over to using sessions. I think I'll either try storing a unique ID (MD5 maybe?), or just not even bother keeping the user logged in during a re-visit.
__________________
AIM: wisprmylastbreth
EMail: nightskywriter@gmail.com
Y!: synsoflife

"ai yoru ga" -- "Love the nights"