Re: [PHP] Using cookies
This is a discussion on Re: [PHP] Using cookies within the PHP General forums, part of the PHP Programming Forums category; John W. Holmes wrote: <snip> >> Chris W. Parker wrote: >>> Here's a thought: &...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
10-22-2003
|
|||
|
|||
Re: [PHP] Using cookies
John W. Holmes wrote:
<snip> >> Chris W. Parker wrote: >>> Here's a thought: >>> >>> How about adding an abitrary number (let's say 241757219) to every users >>> userid and then storing that number as the random id? >>> >>> So let's say the first user comes along and is given the userid 1. We >>> then create their random id by adding 241757219 to their userid. We get >>> a random id of 241757220. Then within the login page I can subtract >>> 241757219 from their random id and get their userid. >>> >>> Since the userid will always be unique (auto-incrementing) it stands to >>> reason that the random id (using the method above) will also always be >>> unique while at the same time not making any sense to a potential >>> attacker. (It could even be made more complicated but use the same >>> method.) >>> >>> >>> How does that sound? >>> >> >> Sure. Since a potential 'hacker' doesn't know your base number, it >> would be pretty secure. > > > Not a good method. If I get on your site and see my cookie has the value > 241757219 in it, I just need to subtract one from the number and revisit > your site. Now I'm the user who registered before me. Using the rand() > or uniqid() method above means I have to guess an entire random number / > character sequence, which is going to be harder (or nearly impossible). > Oh sure, figure out a way to circumvent this. What the hell are you trying to do, help people here? hehe -- By-Tor.com It's all about the Rush http://www.by-tor.com 
|
Linear Mode
