Jump to content


Photo

secure sessions ???


  • Please log in to reply
2 replies to this topic

#1 robcrozier

robcrozier
  • Members
  • PipPipPip
  • Advanced Member
  • 175 posts

Posted 21 September 2006 - 06:19 PM

ok,

im trying to create a secure logon script that create a session variable for the user so that they can access the secure pages.  However, at present i have created a session variable containing the users 'username' which is pulled from the database when it has been confirmed that they are registered.  This works fine ... though i have my reservations about security.

Surely as it stands it would be pretty feasible for someone to obtain this session variable and access the secured pages.  i have been told that it is a good idea to keep changing the session variable as the user navigates to different pages.  Is this good advice?  And in order to do this would i have to register some sort of session key (like a string of digits or something e.g.  jhdgfhjg55jg5j353543879gg)???  This could then be changed when the user navigates to another page and would also be harder to obtain by a third party.

Any advice would be appreciated, Cheers!


#2 Daniel0

Daniel0
  • Staff Alumni
  • Advanced Member
  • 11,956 posts

Posted 21 September 2006 - 06:35 PM

I think you should use cookies instead since they are stored on the client's computer and not the server computer (like I think sessions are). You should use an encrypted line (SSL). You should store a session_id as the ONLY cookie on the, the session id should be something random like:
uniqid(md5(microtime()));
Store the session id in a database along with other information. Check the if the session id is set and then get the rest of the data from the database.

I believe that is more secure.

#3 robcrozier

robcrozier
  • Members
  • PipPipPip
  • Advanced Member
  • 175 posts

Posted 21 September 2006 - 06:40 PM

thanx, ill give it a go! :)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users