07-02-2008, 11:39 PM
|
#11 (permalink)
|
|
The Contributor
Join Date: Jun 2008
Location: Twin Cities, Minnesota, USA
Posts: 44
Thanks: 3
|
Quote:
|
So, even if the user steals (highly unlikely) the account_id and identifier cookie, they will need the users specific user agent as well passed by the browser and no other place.
|
The user agent seems like a pretty solid solution, for fun, why not hash it?
I offer my users a Global Logout, where it updates the unique identifier in the database, making all of the old identifiers no longer valid. Some users like that. |
|
|
|