Would this be Secure?

Posted by aldo, 01-09-2008, 03:19 AM
I currently only use cookies for my user systems, I see people saying there not very secure, and sessions should be used. So my question is, should I use COOKIES and SESSIONS for my user system? For instance since sessions only last till you close your browser or leave the site, I would store a random string and a username in cookies. Now the session ID and username is stored in an SQL DB. Now when they login the random ID is made and stored in there browsers and the DB along with there username and the session is then started, when they leave the session ends but the cookie is still there, now when they come back, I get the random ID, and the user if its in the DB (The ID and user match) there session is restarted. So is that secure or not? If not, what should I do to make it secure?
Posted by Czaries, 01-09-2008, 11:19 AM
Yes, you should be using sessions to store user information rather than cookies. The reason is because the user has no access to the session file on your server stored below the web root, but since the cookie is stored on their computer, they can edit or inspect it anytime they want. I think the method you are using to restore the session is secure enough, although someone could potentially restart someone else's session by entering a random string that happens to be the saved session for another user.
Posted by awatson, 01-09-2008, 12:33 PM
That's the basic way it's done. The key (like Czaries said) is to be sure you're using a sufficiently random key that can't be guessed.
Posted by jmichalicek, 01-09-2008, 02:20 PM
You might also remove the username from the cookie. Normally the username would be tied to the session in your table that tracks sessions. It's not necessarily a really big deal, usernames are quite commonly public knowledge anyway (a person's e-mail address or their displayed name on the system), but I see no need to expose something that doesn't need to be when it's no more work at all to not expose it.
Posted by aldo, 01-09-2008, 07:18 PM
Okay, thanks guys. I think I will go through with this

Was this answer helpful?

 Print this Article

Also Read

suhosin and vbulletin

Posted by jon-f, 07-14-2007, 04:40 AMI have the max vars and all that set right to conform to...

website stops responding

Posted by netedgetech, 04-21-2009, 07:16 AMHi, I have 3 servers ServerA(Web, mail),...

Where can I find a working PHP SMS text script?

Posted by lexington, 01-13-2011, 04:56 AMI found this site which works in sending text messages...

Best PHP Editor ?

Posted by SunShellHosting, 03-01-2010, 12:58 PMHi there! I was wondering, what is the best php...

grsec kernel = no tcp traffic

Posted by dragon2611, 01-11-2008, 11:54 PMTried building a grsec patched kernel as I don't fancy...