Dunno, what does the CMS actually do? One issue might be that it sounds as though the web based user is executing scripts with full owner permissions. I personally don't allow write access on files within 'public_html' to anyone other than the owner. If your files are able to be written to by a user with a cookie, then they are available to be written to by anyone who works out the querystring you use. If you have no database I am guessing that the system is allowing content to be read / written to php or inc scripts? And there are automated processes which look for random querystrings and may be able to circumvent what security you may have. A big lesson for me was several years ago when I was very wet behind the ears and a script I used which pretty much pulled an include file (?section=news got news.php) was hacked by someone calling an external file. No harm done other than my server was used to send thousands and thousands of spam emails! My own advice would be to use a database securely all of the time even if the site is a 10 pager. If that's not possible, then I would tend towards having a totally separate CMS with as secure as the server will allow username / password access. The single biggest security lesson I've learned in 10 years of web development is this: Treat every visitor to your site as a potential hacker. H > I have built a simple cms into a website and to access the controls I > have provided a link to a url (with query string) which downloads a > cookie to the user's machine. Then when the user accesses the website a > link to the cms is provided but only the macine with the cookie can see it. > > There is no sensitive data there, no sql database and the cookie expires > after about a month. > > As far as I can see the cookie is no different to a user saving their > user name and password on their computer. If I am to use it where more > than 1 person will have access I will add another stage where they have > to add their usr & pw. > > Its written in php. > > What would be the security issues around this approach? > -- > > Kind Regards > > > Chris Price > Choctaw > > chris.price at choctaw.co.uk <mailto:chris.price at choctaw.co.uk> > www.choctaw.co.uk <http://www.choctaw.co.uk> > > Tel. 01524 825 245 > Mob. 0777 451 4488 > > Beauty is in the Eye of the Beholder while > Excellence is in the Hand of the Professional > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > > >> Sent on behalf of Choctaw Media Ltd << > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > > Choctaw Media Limited is a company registered in > England and Wales with company number 04627649 > > Registered Office: Lonsdale Partners, Priory Close, > St Mary's Gate, Lancaster LA1 1XB . United Kingdom > > -- > > * * Please support the community that supports you. * * > http://evolt.org/help_support_evolt/ > > For unsubscribe and other options, including the Tip Harvester > and archives of thelist go to: http://lists.evolt.org > Workers of the Web, evolt ! > > -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > -- Hugh Miller Web Developer Clyde & Forth Press Ltd Tel: +44 (0)1475 726511 Fax: +44 (0)1475 783734 Email: hmiller at cfpress.co.uk This e-mail and any attachments are confidential and intended solely for the addressee. If you have received it in error, please inform the sender and delete it immediately. The views or opinions contained within this email may not be those of Clyde & Forth Press Ltd, which accepts no liability for any damage caused by the transmission of any viruses. E-mail traffic is monitored within Clyde & Forth Press Ltd and messages may be viewed. Clyde & Forth Press Ltd is a company registered in Scotland (SC132609) with its registered office at Pitreavie Business Park, Dunfermline, Fife, KY11 8QS. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.