Jump to content

Archived

This topic is now archived and is closed to further replies.

redgorilla

Writing paranoia secure login class with option

Recommended Posts

Hello. I have some experience in php and have just started writing of my own first medium sized script. I have used some ready classes but decided to make my own secure class and improve it later. So the most important part is security issue. I decided to make paranoiac class that will store unique created id in sessions, cookies and database both with user ip. So i think it will protect from stealing session and cookies. Is it paranoia or it will work?

Share this post


Link to post
Share on other sites
Red, could you be more clear? Do you mean that you want to store in a user session everyone's information? More likely, you mean you want to store everyone's information in a database and store a user's specific information in a session/cookie. But out of curiousity why do you want it to be "so secure"? I don't think adding more to a session will make things any more secure, and some things, such as IP address, will just make more trouble for yourself. Most likely, just the user id will be enough and you can query the database to confirm the user and his information at the beginning of each page if you are worried.

Share this post


Link to post
Share on other sites
[!--quoteo(post=373080:date=May 10 2006, 11:29 PM:name=Buyocat)--][div class=\'quotetop\']QUOTE(Buyocat @ May 10 2006, 11:29 PM) [snapback]373080[/snapback][/div][div class=\'quotemain\'][!--quotec--]
Red, could you be more clear? Do you mean that you want to store in a user session everyone's information? More likely, you mean you want to store everyone's information in a database and store a user's specific information in a session/cookie. But out of curiousity why do you want it to be "so secure"? I don't think adding more to a session will make things any more secure, and some things, such as IP address, will just make more trouble for yourself. Most likely, just the user id will be enough and you can query the database to confirm the user and his information at the beginning of each page if you are worried.
[/quote]

As i said it's paranoia :-). I just want to store unique code both in session and in cookies and compare it with value that stored in db. Or i should not use cookie at all for current use info?

Share this post


Link to post
Share on other sites
Just use a session (which at least from my experience seems to make a cookie along with it, though I think you can turn that off), and store the unique user id. That should be enough to identify users and mark them as in or out. If they somehow don't have their id on them you can shuttle them to a log in page with the header () function.

Share this post


Link to post
Share on other sites

×

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.