Jump to content

User authantication per browser.


KubeR

Recommended Posts

Hello,

 

I'd like to know if there is any alternatives for cookies,session and ip for user identification ?

 

As cookies aren't secure enough as they're easily compromised and untrustable.

As for session, I haven't seen a website that uses session for user identification while still being told to use in several "Login/Registration" tutorials, but aren't secure/trustworthy in my opinion as they're editable.

 

IP isn't the best idea because people use proxys and can change ip per page or interval. ( and VPN's )

 

User agents are editable by plugins and aren't unique as far as I know.

 

 

Are there any trustworthy information that can be retrived from the user ?

or combine a few into one ?

(except evercookie)

 

 

 

P.S. I am aware of OpenID, OAuth and social media authentication, but I am not interested in other websites identifying users for me.

 

 

Appericiate any input.

Link to comment
Share on other sites

You can't trust the values in cookies but that in no way whatsoever means you shouldn't use them.

 

Sessions are safe, given a typical PHP setup. Your opinion is incorrect.

Oh, by the way, sessions use cookies.

 

IP addresses aren't unique.

  • Like 1
Link to comment
Share on other sites

No offense, KubeR, but this is bollocks. You don't seem to understand what session actually are and how they work. 

 

Standard PHP sessions consist of two parts: A session cookie which holds the session ID and the session file on the server. Since the actual session data is on the server, users don't have access to it. They can of course change their ID in the cookie, but that alone doesn't get them anywhere.

 

There are two security risks for standard sessions:

  • If the session ID can be intercepted or predicted, an attacker can take over the session (session hijacking).
  • If you adopt user-provided IDs (which is the default), an attacker can try to make the victim use a known ID and then take over the session after the victim has logged in (session fixation).

The first problem can be solved by using sufficiently random session IDs (see session.entropy_file and session.entropy_length) and only transmitting them over HTTPS. The second problem can be solved by generating a fresh ID in the log-in procedure.

 

So if used correctly, PHP sessions are secure. I'll happily discuss this in another thread.

 

Your statements about cookies are also wrong. Yes, the values are editable. But that simply means we need to check the integrity and authenticity of the data. This is typically done with a message authentication code. However, I don't recommend this approach, because it's very hard to get right compared to simply storing the session data on the server.

 

There are some alternatives to session-based authentication, most notably HTTP authentication and TLS client certificates. But they have problems as well and make little sense for an average website.

Link to comment
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.