stackoom
  简体   繁体   中英

How to make an authenticated user persist using a cookie

 原文  2011-02-24 19:50:46       php/ security

Question

I am making a registration/login system with php. I think I have all the initial login stuff worked out(hashing password with salt, store in db...).

My question is in regard to keeping a user logged in between pages after their initial login. The way I understand it is that one method is to have a table of sessions on your server that stores a random unique id for each user and to store that id in a cookie on the user's computer. This way for each page they load all you do is lookup their session id in your database.

What I don't understand is how is that is secure? Couldn't somebody just sniff the ID and then fake being that user. Someone could even just try guess IDs.

I also read that it is better if the ID changes on each page visit. How does this increase security? It seems it just would decrease the amount of time any ID could be used.

Also how would any of this change with a "Remember Me" feature that would be stored for long time?

2 answers

solution1
 3 ACCPTED  2011-02-24 19:56:32

The ID you are describing is precisely what the session ID is, except it's handled for you transparently by php (browsers pass along this session ID with the cookie).

The security flaw you are describing is precisely what firesheep takes advantage of. You can prevent the session ID from being sniffed by making sure that all authenticated requests to your site take place over ssl. This not only includes logging in, it also includes any time an authenticated user tries to access a page (which means the browser will be passing along an authenticated session id).

If a user tries to access a page not via SSL, you should ideally redirect them to an SSL page and give them a new session ID, because the old one could have been compromised.

solution2
 0  2011-02-24 20:15:55

The key to such a system is that you don't randomly generate the key--you generate it using facts about the user, ones that another client wouldn't have knowledge of--like the user's IP address, user-agent, and session id. Then you make the user authenticate using that key and their session id (which is transparently handled by PHP).

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question How to check if user is authenticated by cookie session on Laravel? How to make each authenticated user only see their own product How to get current authenticated user id using Vuejs and Laravel? how to get authenticated user data How to get the current authenticated user? How to search clients of the authenticated user? How to persist user data in different pages using php How can I access Python session by php to make sure that the user is authenticated and logged in? How to make sure a PHP script that handles an ajax request is not accessible to use and the user is authenticated? How to make cookie to safe
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM