Hi Folks
I have an authorisation that works with sessions but want to create a "cookie" back up incase of a broken internet connection.
I set the cookie at login with expire 3600 - (At the moment using client_ID 'cos it's easy to see for developing) -
If the session is no longer there I look for the cookie and can re-establish coonection without having to log in again
- It's all working perfectly as I want it.
There are supposed to be lots of security issues surrounding the use of cookies. Theoretically I thought if I changed the client_ID to another client I should come back to another client but I don't - I get blocked and the cookie is actually deleted.
My first question (more for curiosity). Is there built in security to stop tampering? (using IE5 on IIS)
The way I'm planning to stop anyone doing what I can't do anyway is to store the session_id and username in the cookie and in the database.
On reconnection I'll search for username and only the origonal user would have a matching Session_ID in both the cookie and the database.
Thoughts on holes would be appreciated.
Chris Skidmroe
