On Sat, Nov 06, 2004 at 06:02:40PM -0600, Rodolfo J. Paiz wrote:
few users, each of which has a username and password. However, they
do
not want to rely on .htaccess files only; they want each page to check
session validity so they can have time-outs and stuff.
There are a whole pile of session manager libraries for PHP floating around
and some of them don't suck 8)
1. The user's credentials should be stored in some
reasonably-secure
and reasonably-scalable fashion. I do not have the knowledge to
determine whether an htaccess file will work well enough or whether
The linux.org.uk portaloo does the following
state = [array of things we need to remember] + timestamp
md5sum (state, secret)
cookie = md5result + state
that gives you rather hard to fake browser kept state very easily
Alan