Jump to content

Is this secure?


caster001

Recommended Posts

Hi Everyone,

I was hoping to get some feedback on how secure this method might be for a login.

I have the user login with the username and password, then
that gets checked against md5 encrypted data on a database, if true, store the session_id in the database
then store that username and password in the session, then everytime on a user page compare the session data with the database stuff and if not true, then return the person to the login, destroying that session,  all working under a constant URL checker to make sure the page is hitting the "https" address for the page encryption... 

What's everyone's thoughts?
Link to comment
https://forums.phpfreaks.com/topic/28242-is-this-secure/
Share on other sites

cool, so..bad idea on the session username and password,
but can't someone spoof the userid or the session_id..or is that not a problem since it would be kept in the database?


put the password in it aswell.
and, on every page..
do a check to see if the uid has that password.

say, user 1, password = joke.
if they change the cookie to user '2'
and you do the check, it won't match up.
[unless they have the same password, but, low chance]
Link to comment
https://forums.phpfreaks.com/topic/28242-is-this-secure/#findComment-129151
Share on other sites

Alright, I think I get that.

just quickly clarifying on this, I haven't as yet looked into cookies, just the whole session deal...I know they're not the same, but just with the session_id and user_id being unique...do I have to necessarily do anything with cookies...or yes I do and I'm just being a lazy twat and should learn about cookies anyway?
Link to comment
https://forums.phpfreaks.com/topic/28242-is-this-secure/#findComment-129160
Share on other sites

Personally. I like cookies.
I think they're easier to use, and you know they are always going to be there [unless the user deletes it]
There is nothing harmful with having it..

And, if you want to protect it from CGers (getting the username and password in one shot).
you can simply make another column 'checkid'
md5 it, and, use that instead of the password.
Link to comment
https://forums.phpfreaks.com/topic/28242-is-this-secure/#findComment-129161
Share on other sites

(in ref to 'cheesierangel's post, yeah I considered the whole cookie browser compatibility  all the stuff like that, but I think I might go with sessions for now, but I like how php works, so no doubt I'll have to learn it eventually...sooner rather than later)

you're going to have to forgive me for being a bit...well, empty headed on this one,

but, when you say...create another column..do you mean in the database, and
checkid, there's a command for that..or you're just recommending what I should call it?

Lol, sorry..still learning  :D
Link to comment
https://forums.phpfreaks.com/topic/28242-is-this-secure/#findComment-129165
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.