Re: [PHP] Using cookies

Chris W. Parker wrote:

> John W. Holmes <mailto:holmes072000@charter.net>
> on Tuesday, October 21, 2003 5:30 PM said:
>
>
>>Not a good method. If I get on your site and see my cookie has the
>>value 241757219 in it, I just need to subtract one from the number
>>and revisit your site. Now I'm the user who registered before me.
>>Using the rand() or uniqid() method above means I have to guess an
>>entire random number / character sequence, which is going to be
>>harder (or nearly impossible).
>
>
> But that would require that you register immediately after the person
> before you. Then you could compare the two numbers and figure out what
> the base number is, but that seems REALLY unlikely.
>
> Can you explain it a little different maybe?

I only have to register once to see what kind of data you're storing in
the cookie. If you're just relying on that number, all I have to do is
change it to become another user. I don't need to know about your "base
number" or anything, just send another number and see what happens.

--
---John Holmes...

Amazon Wishlist: www.amazon.com/o/registry/3BEXC84AB3A5E/

php|architect: The Magazine for PHP Professionals – www.phparch.com