TalkPHP - View Single Post

drewbee · 06-30-2008, 07:18 PM

Right. Unfortunately this information can be manipulated as well. IP addresses are out for me for the lovely ISP's that use reciprocating IP's (AOL).

How trustworthy are user agents?

Here is what I will do:

cookie ('account_id', '1');
cookie ('identifier'), 'dasf8a3hdshf98hw3');

database:
account_id, identifier, user_agent

When first checking if the first two cookies exist, I will query against all three items for validity:

SELECT account_id from remember_me where account_id = (cookie:account_id) AND identifier = (cookie:identifier) AND user_agent = (browser:user_agent).

So, even if the user steals (highly unlikely) the account_id and identifier cookie, they will need the users specific user agent as well passed by the browser and no other place.

Sounds like a plan. Should a user disable the sending of their user agent, then it will simply validate as ''.

06-30-2008, 07:18 PM	#10 (permalink)
drewbee The Acquainted Join Date: May 2008 Posts: 175 Thanks: 9	Right. Unfortunately this information can be manipulated as well. IP addresses are out for me for the lovely ISP's that use reciprocating IP's (AOL). How trustworthy are user agents? Here is what I will do: cookie ('account_id', '1'); cookie ('identifier'), 'dasf8a3hdshf98hw3'); database: account_id, identifier, user_agent When first checking if the first two cookies exist, I will query against all three items for validity: SELECT account_id from remember_me where account_id = (cookie:account_id) AND identifier = (cookie:identifier) AND user_agent = (browser:user_agent). So, even if the user steals (highly unlikely) the account_id and identifier cookie, they will need the users specific user agent as well passed by the browser and no other place. Sounds like a plan. Should a user disable the sending of their user agent, then it will simply validate as ''. __________________ There are No Stupid Questions. But there a LOT of Inquisitive Idiots.