Jump to content

Login secure?

Manixat

By Manixat
in PHP Coding Help

 Share

Recommended Posts

Manixat Regular Member

Manixat

Posted
Posted (edited)

Hello freaks,

 

In this new project of mine I'm trying to make things as elegant as possible, so I'm trying to avoid any hashing and long strange-looking strings and other types of stuff that just scares the crap out of users that know no better. I've just thought of a way to keep users logged in without hashing any cookies but I am not quite sure how secure it is. The way it works is whenever a user logs in, I create a cookie in his browser named User_ID which only contains the numeric value of his ID in the database. Now the other thing I do is save his I.P. address in the database under the field "ip_last_login". That way when the user opens the website again as well as his ID his IP will be checked with the last logged IP and if they don't match the cookie is deleted. Note that every time the user logs in from different IPs ( using his password ) the last login IP column is updated.


What I want to ask is if it is vulnerable to XSS attacks or any other type of attacks, because there might be some cracks in this type of system that I'm not aware of.

Thank you in advance.

Edited by Manixat
Link to comment
Share on other sites
mac_gyver Prolific Member

mac_gyver

Posted
Posted

your method doesn't add any extra security. the person most likely to be attempting to log in as someone else will be doing it from the same wired or wireless network as the actual person and would have the same ip address as the actual person.

 

your method of using the sequential database id as the value in the cookie will allow someone to quickly cycle through a range of valid ids. depending on what your server side logic is checking, at best this will allow them to log out all your actual visitors and at worst it will let them eventually find any ids that correspond to the ip address and log in. the value you store in the cookie to identify someone must be a hard to guess value, like a session id is, which would not allow someone to simply cycle through a range of integers to come up with values to try.

Link to comment
Share on other sites
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.