Every time they click on a link (ie. go to their account manager, post an event, etc.) I immeidately check the cookie to see who it is and if there is not userid cookie then I print the login page and tell them to login.Cookie values can be changed or hijacked so it's not entirely safe to depend on them without taking some precautions. For example, if you set a user with a cookie value of 'abcde' and if I'm able to get to that value, I could masquerade as that user by tweaking the cookie file in my computer. That's what I think but I may be wrong.
I use MD5 to set a unique cookie value and that value is saved into the db. The user is recognised by the cookie value. Every time he or she logs in, a new cookie value is created and set. This new value replaces the old one in the db.
I'm not 100% sure if my method is secure but I think it's better than relying on one unchanging unique cookie value.
In reply to Re: How to make a secure website
by kiat
in thread How to make a secure website
by cranberry13
| For: | Use: | ||
| & | & | ||
| < | < | ||
| > | > | ||
| [ | [ | ||
| ] | ] |