Xeoncross Posted February 2, 2007 Share Posted February 2, 2007 Ok, I am trying to make as secure of a script as I can without using SSL. I found a page on it (http://www.devarticles.com/c/a/MySQL...ssions-in-PHP/ ) and I want to know if this is right: Say I have a user table something like like this: CREATE TABLE users ( username varchar(255) NOT NULL, email varchar(255) NOT NULL, password varchar(255) NOT NULL, sid varchar(32), ) Every time someone logs in I create a SID value and stick one copy in the user's database table and another in a cookie to give back to the user. Then every time a page is requested I check the session ID in the cookie against the one in the database and if it is found then I let them in. Now, is there anything else that I could do to make the session ID more secure? Since I want to store these in a database so do I need to make my own session functions? Should I make a new table and call it sessions and make have it contain the SID and userID? Also, I have lots of strlen(), mysql_real_escape_string(), gettype(), etc... functions to clean the values so don't worry about that. I just want to know how to keep the user's sessionID from being hijacked by a hacker. Ok, here is some more reading if anyone else is interested: Store Session Data in a MySQL Database Download Chaper 4 of phpsecurity Trick-Out Your Session Handler PHP 101 (part 10): A Session In The Cookie Jar Session Handling with PHP 4 Thanks, David Quote Link to comment Share on other sites More sharing options...
Jessica Posted February 2, 2007 Share Posted February 2, 2007 Don't store the Session's ID, store the values. So the user has an ID, store that in cookie and session. Rely on session all the time. Then when there is no session, check for the cookie, and check IT against the database. You shouldn't need to check the session against the database. Quote Link to comment Share on other sites More sharing options...
Xeoncross Posted February 2, 2007 Author Share Posted February 2, 2007 Don't store the Session's ID, store the values. So the user has an ID, store that in cookie and session. Rely on session all the time. Then when there is no session, check for the cookie, and check IT against the database. You shouldn't need to check the session against the database. Sorry, I don't think I explained it right. There is NO data I would need to store in a session - All of the user data is in the database. I only need an ID in a session/cookie to prove it is the right person in the database. Quote Link to comment Share on other sites More sharing options...
Xeoncross Posted February 6, 2007 Author Share Posted February 6, 2007 bump Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.