Jump to content

Security of $_SESSION for authentication


etrader

Recommended Posts

I've read lots of articles and discussions about security issues for using session for user authentication; but I did not come to an explicit conclusion which is the best method.

 

I decide to generate two session parameters (1) ID (2) a randomly generated Access Token which is stored in the database. I want to add more security:

 

1. Where to store session? server-side or client-side by session session.use_only_cookies ?

 

2. Is it good to check IP and User Agent before authentication by session? In this case I will lose the option of Remember Me as IP can be changed.

 

3. Which of the session parameters of http://php.net/manual/en/session.configuration.php is more practical to have a good security?

 

 

Any additional idea?

Link to comment
https://forums.phpfreaks.com/topic/250143-security-of-_session-for-authentication/
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.