Creating a secure login using sessions and cookies in PHP
I am making a login script that I would like to be as secure as possible. Problem is, security seems to be a never ending battle. So essentially, I am looking for suggestion
-
SESSION more secure than cookie and my advise is to create a unique id for the current login attempted like :
$id = uniqid(); $_SESSION['username'.$id] = "something ...";讨论(0) -
There is no such thing as secure cookie UNLESS it's transmitted over SSL only. It can be mitigated some when using a persistent non-session cookie (like remember me), by doing exactly what you're doing, but not in the same way you're thinking of doing it.
You can indeed store server variables such as the user-agent, the ip address and so forth (and even JavaScript variables), but they are only good for validating that the persistent cookie data matches the client's new connection. The ip address isn't a good idea except when you know that the client (like you only) isn't going to change on every page load (a la AOL).
Modern web browsers and 3rd party services like LastPass can store login credentials that only require a key press (and sometimes not even that) to send the data to the login form. Persistent cookies are only good for those people who refuse to use what's available otherwise. In the end, persistent, non-session cookies are not really required anymore.
讨论(0) -
Stop what you are doing. Do not check the
user-agentor the ip address. The user-agent is an attacker controlled variable and checking this value does not increase the security of this system. The ip address will change for legitimate reasons, such as if a user is behind a load balancer or TOR.A session id must always be a cryptographic nonce. In php just call
session_start()and then start using the$_SESSIONsuper global. PHP takes care of all of this for you. If you want to improve php's session handler, use the configurations. Enableuse_only_cookies,cookie_httponlyandcookie_secure. Also setting theentropy_fileto/dev/urandomis a good idea if you are on a *nix system but if your under windows then your in trouble.For instance to authenticate a user:
//In a header file session_start(); ... if(check_login($_POST['user_name'],$_POST['password'])){ //Primary key of this user $_SESSION['user_id']=get_user_id($_POST['user_name']); $_SESSION['logged_id']=True; }And to verify if a user is logged in:
//in a header file session_start() ... if(!$_SESSION['logged_id']){ header("location: login.php"); die();//The script will keep executing unless you die() }To improve this system read OWASP A9 and use HTTPS for the entire life of the session. Also read OWASP A5: CSRF aka "session riding" and OWASP A2: XSS because they can both be used to compromise a session.
讨论(0) -
I use a cookie based method (using setcookie function) but ....
session_start(); ... if(check_login($_POST['user_name'],$_POST['password'])){ //Primary key of this user $_SESSION['user_id']=get_user_id($_POST['user_name']); $_SESSION['logged_id']=True; }...these methods are wrooooong !!!!
I crack my website with an attack based on the cookie.
- I used cookie option of the WebCruiser vulnerability scanner, so I get my cookie after login.
- Then I changed a simply value on cookie
- Then I clicked save cookie.
- At this point I clicked on webbrowser see on the left panel then I clicked right then I clicked on refresh page, so I got my admin page without using the login page with user and password.
So if someone push you a virus to read the cookie history of IE or Firefox, you'll be happy to find out your admin user and pass can be used by others.
So how to fix the problem? Simple: combine the cookie with session server or session's cookie with sessions server, or session with file session, or cookie with file session.... will be secure but slow :((((
讨论(0) -
I keep all login data in the users session, this way its all stored server side.
The only thing i would store in a client cookie is stuff like 'auto login', 'session id'
讨论(0)
加载中...
- 热议问题