gazalec Posted June 8, 2007 Share Posted June 8, 2007 Hi i was just wondering what is the best way to do a secure login? because i have been using PHP sessions but i recently found out these are quite unsafe, even after people telling me they are quite secure. I was just wondering if anyone has a truely secure login, as with sessions, session spoofing is quite easy to do and also all session data is store in the tmp folder for anyone to read. Thanks for any help Quote Link to comment https://forums.phpfreaks.com/topic/54743-secure-login/ Share on other sites More sharing options...
taith Posted June 8, 2007 Share Posted June 8, 2007 while session cookie(big long string of letters and numbers) is stored on the computer... and if you temp folder on host isnt secure... session data is seeable... however... just dont store secure stuff there... unset($_SESSION[user][password],$_SESSION[user][creditcardnum]); etc... Quote Link to comment https://forums.phpfreaks.com/topic/54743-secure-login/#findComment-270743 Share on other sites More sharing options...
calabiyau Posted June 8, 2007 Share Posted June 8, 2007 Well for starters you can change the session save path and store your sessions in a folder of your choosing, preferrably one above the document root. Or even better you can save the sessions in a database. http://shiflett.org/articles Quote Link to comment https://forums.phpfreaks.com/topic/54743-secure-login/#findComment-270746 Share on other sites More sharing options...
ToonMariner Posted June 8, 2007 Share Posted June 8, 2007 if you use a secure socket layer and validate the username and password - make sure they don't have any sql injection etc then that is as secure as you can get. Sessions are for maintaining state of the login between requests. A client side cookie transmits all the data in the cookie with each request - which others may intercept. Sessions store an id to a client side cookie and the rest of the info is maintained on the server. Values can only be created or altered on the server so the only thing someone can do is replicate on their own machine and appear as another on teh site. Provided that you request a password for anything like updating a profile OR keep the original email address of the user for ever then you should be fine. Quote Link to comment https://forums.phpfreaks.com/topic/54743-secure-login/#findComment-270748 Share on other sites More sharing options...
gazalec Posted June 8, 2007 Author Share Posted June 8, 2007 well what i have is when they login successfully their customer number then becomes their session id, and each page is displayed according to that for instance the previous order's page is always the same page it just depends what the session id is to what information is extracted from the database, so if someone was to spoof or see and use this information that means the customers previous orders would be on show. I was just wondering if i saved these sessions to a different folder, wouldn't someone still be able to create a form on their computer, assign their input a session id of, lets say $_SESSION['cust_no'], would they be able to access some of the website they shouldn't be able to or, is the session id they assign saved on their computer which my website wouldn't be able to read? Quote Link to comment https://forums.phpfreaks.com/topic/54743-secure-login/#findComment-270752 Share on other sites More sharing options...
gazalec Posted June 8, 2007 Author Share Posted June 8, 2007 Can i just ask when a session is created how is it the web site reads it, is it through the tmp folder on the server, so that then if someone creates a session on their local machine the server wont be reading that it will be reading the tmp folder on the server? Quote Link to comment https://forums.phpfreaks.com/topic/54743-secure-login/#findComment-270766 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.