The system itself is a little out of date, but the ideas behind it are still great. Like eeek said, session vars are not visible to the outside world, and thus can't be manipulated by anyone but the server(that I know of).
henry0 I did see people mentioning that, and I think that is where the confusion came from.
Can anyone give me some more info on what to do with the cookie. Do I store the visitors username/password (encrypted) in the cookie and check are authorised at the start of each session, then hold that variable "Y/N" in the session?
in such a case SSL might not be required but the usual checking more than ever for example don't even trust yourself! say you pass a session with a content of AAA the receiving page/pages ought to check if the session only contains uppercase alpha char
Msg#: 3888424 posted 11:21 am on Apr 10, 2009 (gmt 0)
In the cookie / session (whatever you're using, maybe both), store the user id and a message digest of their password, e.g. md5($password). Then validate what the user presents against the database. Passwords shouldn't be stored in plain-text in your database.