jay5r

Avatars are spam? I can see where signatures could be spam, but I don't get how avatars are spam.

I'd try this… RewriteCond %{HTTP_USER_AGENT} !MyApp RewriteRule ^.* http://mydomain.com/error.html [R=302] I think the most critical thing you were missing was the ! at the beginning of the pattern. That ! says "not"… You were matching the string, you needed to match all the ones that don't match the string. I think L is redundant if there's a redirect. And I always do R=302 (or R=301) so I know exactly what type of redirect is being done.

The short answer to the OP's question is, "No, your cookies are not secure because you're only passing the first three parameters to the setcookie function. The other parameters are really important and should not be ignored"… bool setcookie ( string $name [, string $value = "" [, int $expire = 0 [, string $path = "" [, string $domain = "" [, bool $secure = false [, bool $httponly = false ]]]]]] ) $path – You'll probably want to set to '/' since you probably need your cookie available on all pages on your site. $domain – I'm not sure if you're using a subdomain, but set it to the most restrictive value possible (for maximum security). So 'www.yourdomain.com'. If you're not using a subdomain I've noticed the browsers implement things differently than the W3 spec. The spec says that '.yourdomain.com' and 'yourdomain.com' should act the same way (e.g. the cookie is available on all subdomains), but if your host name is yourdomain.com (e.g. no subdomain), then setting $domain to 'yourdomain.com' only sends it to that one host name. It's not available on other subdomains. To get all subdomans you'll need to set $domain to '.yourdomain.com'. $secure – should be set to true (or 1). That means the cookie will only be sent over encrypted, HTTPS connections. Which means your site needs to be encrypted. If it's not, stop now and get it encrypted and then revisit your cookie question. $httponly – should be set to true (or 1). That will stop it from being available to Javascript in standards compliant browsers. There are other things you can do to increase security (many of which are mentioned above), but you first need to start with using all the parameters in the setcookie command.

Just joined. Checking things out. Been programming (obscure) relational databases for many years. Dabbled in PHP for a while and then started getting serious about PHP / MySQL 2-3 years ago. Developing a network of sites with Fat Free Framework.