Jump to content

Session & Cookie Security

Anti-Moronic

By Anti-Moronic
in PHP Coding Help

 Share

Recommended Posts

Anti-Moronic Regular Member

Anti-Moronic

Posted
Posted

Hi,

 

I'd like to know the security of assuming session variables and using them for secure membership systems.

 

Could a malicious user not create a session, then change the session username to another user and effectively login as that user?

 

As I see it, no. Because session data is stored on the server and only a session id is stored on the client by way of a cookie.

 

But what if we used cookies? What is the solution to this? Because I know I could easily change ANY variables within a cookie.

 

I guess storing cookie data via db would help. But what is the best practice solution?

 

I see a lot of code which simply checks for a cookie with the variable 'logged_in' to true. It then manages the user by username or userid which are stored within the cookie but which can be changed with ease by a malicious user.

Link to comment
Share on other sites
Zurev Newbie

Zurev

Posted
Posted

Well changing the session username doesn't seem to work out well...since here's an example session from my site:

a%3A4%3A%7Bs%3A10%3A%22session_id%22%3Bs%3A32%3A%221289e965a96ce1f60966e3c441e34488%22%3Bs%3A10%3A%22ip_address%22%3Bs%3A13%3A%2267.246.24.205%22%3Bs%3A10%3A%22user_agent%22%3Bs%3A50%3A%22Mozilla%2F5.0+%28Windows%3B+U%3B+Windows+NT+6.1%3B+en-US%3B+rv%22%3Bs%3A13%3A%22last_activity%22%3Bs%3A10%3A%221291791748%22%3B%7D8e963ecdfe380b6d6da27177057bd181

 

As for cookies, yes anybody can change any value with them, but there are practices that make them secure. One concept I use is explained below:

 

Users have a userid and an activation key (both rows in a database)

When a user logs in, it generates a new sha1-hashed random string and sets their activation key to that.

It then sets their cookie to userid-activation key.

 

Each page the user visits automatically checks if the userID in the cookie does not match the activation key in the same row, it deletes the cookie.

 

So really, I've yet to see a way to fool that, except for maybe more than one person logging in to the same account at the same time, but it may be flawed, just my way of approaching it.

Link to comment
Share on other sites
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.