Anti-Moronic Posted December 8, 2010 Share Posted December 8, 2010 Hi, I'd like to know the security of assuming session variables and using them for secure membership systems. Could a malicious user not create a session, then change the session username to another user and effectively login as that user? As I see it, no. Because session data is stored on the server and only a session id is stored on the client by way of a cookie. But what if we used cookies? What is the solution to this? Because I know I could easily change ANY variables within a cookie. I guess storing cookie data via db would help. But what is the best practice solution? I see a lot of code which simply checks for a cookie with the variable 'logged_in' to true. It then manages the user by username or userid which are stored within the cookie but which can be changed with ease by a malicious user. Quote Link to comment Share on other sites More sharing options...
Zurev Posted December 8, 2010 Share Posted December 8, 2010 Well changing the session username doesn't seem to work out well...since here's an example session from my site: a%3A4%3A%7Bs%3A10%3A%22session_id%22%3Bs%3A32%3A%221289e965a96ce1f60966e3c441e34488%22%3Bs%3A10%3A%22ip_address%22%3Bs%3A13%3A%2267.246.24.205%22%3Bs%3A10%3A%22user_agent%22%3Bs%3A50%3A%22Mozilla%2F5.0+%28Windows%3B+U%3B+Windows+NT+6.1%3B+en-US%3B+rv%22%3Bs%3A13%3A%22last_activity%22%3Bs%3A10%3A%221291791748%22%3B%7D8e963ecdfe380b6d6da27177057bd181 As for cookies, yes anybody can change any value with them, but there are practices that make them secure. One concept I use is explained below: Users have a userid and an activation key (both rows in a database) When a user logs in, it generates a new sha1-hashed random string and sets their activation key to that. It then sets their cookie to userid-activation key. Each page the user visits automatically checks if the userID in the cookie does not match the activation key in the same row, it deletes the cookie. So really, I've yet to see a way to fool that, except for maybe more than one person logging in to the same account at the same time, but it may be flawed, just my way of approaching it. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.