Re: [PHP] input on sessions vs cookies

On Sat, 2007-02-24 at 20:05 -0800, benifactor wrote:
as of right now, when the user logs in, i have a cookie storing username...
then on all of the pages i need data i have it query the database and using
the cookie data to retrieve user information.. is there a more secure way to
do this?

This is horrible. It means if I know of any other user on your site and
I think they may be logged in then I can change the username in my
cookie and hijack their session. In fact, if you have any kind of system
that exposes user input (such as a forum) then I can with great accuracy
determine what users are logged in and are active thus making it trivial
to hijack sessions. Instead of storing the username, create a unique ID
(32 alphanumeric digits is common) that maps to the session data. This
is what PHP native sessions do. Why not use PHP native sessions? They've
done most of the work for you and they use cookies when it is detected
that cookies are enabled.

Cheers,
Rob.
--
..------------------------------------------------------------.
| InterJinn Application Framework - http://www.interjinn.com |
:------------------------------------------------------------:
| An application and templating framework for PHP. Boasting |
| a powerful, scalable system for accessing system services |
| such as forms, properties, sessions, and caches. InterJinn |
| also provides an extremely flexible architecture for |
| creating re-usable components quickly and easily. |
`------------------------------------------------------------'
.