Results 1 to 5 of 5
  1. #1

    Would this be Secure?

    I currently only use cookies for my user systems, I see people saying there not very secure, and sessions should be used. So my question is, should I use COOKIES and SESSIONS for my user system? For instance since sessions only last till you close your browser or leave the site, I would store a random string and a username in cookies. Now the session ID and username is stored in an SQL DB. Now when they login the random ID is made and stored in there browsers and the DB along with there username and the session is then started, when they leave the session ends but the cookie is still there, now when they come back, I get the random ID, and the user if its in the DB (The ID and user match) there session is restarted. So is that secure or not? If not, what should I do to make it secure?

  2. #2
    Join Date
    Aug 2001
    Location
    Central USA
    Posts
    200
    Yes, you should be using sessions to store user information rather than cookies. The reason is because the user has no access to the session file on your server stored below the web root, but since the cookie is stored on their computer, they can edit or inspect it anytime they want. I think the method you are using to restore the session is secure enough, although someone could potentially restart someone else's session by entering a random string that happens to be the saved session for another user.
    InvoiceMore - Online Billing & Invoicing
    phpDataMapper - Object-Oriented PHP5 Data Mapper ORM

  3. #3
    Join Date
    Dec 2007
    Location
    Michigan
    Posts
    286
    That's the basic way it's done. The key (like Czaries said) is to be sure you're using a sufficiently random key that can't be guessed.
    Nexcess - Magento and Wordpress Hosting Specialists!

  4. #4
    You might also remove the username from the cookie. Normally the username would be tied to the session in your table that tracks sessions.

    It's not necessarily a really big deal, usernames are quite commonly public knowledge anyway (a person's e-mail address or their displayed name on the system), but I see no need to expose something that doesn't need to be when it's no more work at all to not expose it.

  5. #5
    Okay, thanks guys. I think I will go through with this

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •