Re: [PHP] input on sessions vs cookies

From: robert@xxxxxxxxxxxxx (Robert Cummings)
Date: Sun, 25 Feb 2007 09:11:25 -0500

On Sat, 2007-02-24 at 20:05 -0800, benifactor wrote:

as of right now, when the user logs in, i have a cookie storing username...
then on all of the pages i need data i have it query the database and using
the cookie data to retrieve user information.. is there a more secure way to
do this?

This is horrible. It means if I know of any other user on your site and
I think they may be logged in then I can change the username in my
cookie and hijack their session. In fact, if you have any kind of system
that exposes user input (such as a forum) then I can with great accuracy
determine what users are logged in and are active thus making it trivial
to hijack sessions. Instead of storing the username, create a unique ID
(32 alphanumeric digits is common) that maps to the session data. This
is what PHP native sessions do. Why not use PHP native sessions? They've
done most of the work for you and they use cookies when it is detected
that cookies are enabled.

Cheers,
Rob.
--
..------------------------------------------------------------.
| InterJinn Application Framework - http://www.interjinn.com |
:------------------------------------------------------------:
| An application and templating framework for PHP. Boasting |
| a powerful, scalable system for accessing system services |
| such as forms, properties, sessions, and caches. InterJinn |
| also provides an extremely flexible architecture for |
| creating re-usable components quickly and easily. |
`------------------------------------------------------------'
.

References:
- Re: [PHP] input on sessions vs cookies
  - From: tedd
- Re: [PHP] input on sessions vs cookies
  - From: "benifactor"

Prev by Date: Re: [PHP] PHP+MySQL website cache ? Yes/No
Next by Date: re-config the language of phpmyadmin
Previous by thread: Re: [PHP] input on sessions vs cookies
Next by thread: PHP+MySQL website cache ? Yes/No
Index(es):
- Date
- Thread

Relevant Pages

Re: Bug in forms authentication?
... Isn't the auth token saved as a cookie. ... You are right that sessions and form authentication are separated ... when I'm connecting from two IE browsers it _is ...
(microsoft.public.dotnet.framework.aspnet)
Re: Is it common to use session.use_trans_sid?
... they can just steal sessions. ... Just the contents of the session file, not the cookie. ... disabled browsers while not giving away security (since the security is ... probably savvy enough to make an exception for your site. ...
(comp.lang.php)
Re: sessions timeout
... Another way would be to not use sessions and use the raw cookie instead, ... Every time a user with a valid login hits the site, you check his cookie against one stored in a database for that user, make sure its less than whatever minutes old, and immediately store the current time and issue a new utterly random cookie to the user. ...
(comp.lang.php)
Re: General question on charging for data access
... First off, the sessions are a great idea, but what about just an MD5 or ... any other encrypted cookie? ... I think using the cookie with an xxSQL database is one of the only ways ... jblanch at gmail dot com ...
(comp.lang.php)