Jump to content

Secure Login

gazalec

By gazalec
in PHP Coding Help

 Share

Recommended Posts

gazalec Member

gazalec

Posted
Posted

Hi i was just wondering what is the best way to do a secure login? because i have been using PHP sessions but i recently found out these are quite unsafe, even after people telling me they are quite secure. I was just wondering if anyone has a truely secure login, as with sessions, session spoofing is quite easy to do and also all session data is store in the tmp folder for anyone to read.

 

Thanks for any help

Link to comment
Share on other sites
taith Regular Member

taith

Posted
Posted

while session cookie(big long string of letters and numbers) is stored on the computer... and if you temp folder on host isnt secure... session data is seeable... however... just dont store secure stuff there... unset($_SESSION[user][password],$_SESSION[user][creditcardnum]); etc...

Link to comment
Share on other sites
ToonMariner Advanced Member

ToonMariner

Posted
Posted

if you use a secure socket layer and validate the username and password - make sure they don't have any sql injection etc then that is as secure as you can get.

 

Sessions are for maintaining state of the login between requests. A client side cookie transmits all the data in the cookie with each request - which others may intercept.

 

Sessions store an id to a client side cookie and the rest of the info is maintained on the server. Values can only be created or altered on the server so the only thing someone can do is replicate on their own machine and appear as another on teh site.  Provided that you request a password for anything like updating a profile OR keep the original email address of the user for ever then you should be fine.

Link to comment
Share on other sites
gazalec Member

gazalec

Posted
  • Author
Posted

well what i have is when they login successfully their customer number then becomes their session id, and each page is displayed according to that for instance the previous order's page is always the same page it just depends what the session id is to what information is extracted from the database, so if someone was to spoof or see and use this information that means the customers previous orders would be on show.

 

I was just wondering if i saved these sessions to a different folder, wouldn't someone still be able to create a form on their computer, assign their input a session id of, lets say $_SESSION['cust_no'], would they be able to access some of the website they shouldn't be able to or, is the session id they assign saved on their computer which my website wouldn't be able to read?

Link to comment
Share on other sites
gazalec Member

gazalec

Posted
  • Author
Posted

Can i just ask when a session is created how is it the web site reads it, is it through the tmp folder on the server, so that then if someone creates a session on their local machine the server wont be reading that it will be reading the tmp folder on the server?

Link to comment
Share on other sites
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.