Best method for a secure user session?

[random1]

I've checked out various ways to create a login system and there seems to be many security issues with all of them.

 

What do the real PHP developers use in business applications?

 

Are cookies less secure then a PHP session object?

 

Which is the best way to have a user logged into a system using a database?

[BlueSkyIS]

i use sessions for everything. what security issues?

[AdRock]

You can encrypt the sessions if you want using md5

[laffin]

there is no real need to encrypt the sessions tho, unless u give or set them from user input.

 

Sessions main PRO is that it's server side, meaning the user dusn have access to these variables.

Unlike cookies, where a user can alter/view the cookie themselves.

 

It's the implementation of authenticating the user, which shud be looked at.

 

I store a unique key in a cookie (md5 of some info stored in sessions)

if the cookie exists, than i compare it with the md5 of the sessions, otherwise i destroy the session and cookie.

 

$_COOKIE['key'] = md5($_SESSION['username'] . $_SESSION['user_ip'])

 

note: using the user's ip as part of the key, so the key can only be used by one machine location.

 

also use a expiry for session length Which you can reset on reauthentication.

[uniflare]

i dont know how reliable this is please tell me but:

 

if you can't resolve the ipaddress to a domain name with gethostbyaddr($_SERVER['REMOTE_ADDR']); then i would deny access to make sure its not a fake ip address, that way any hacking attacks when you log it you can log the hostname and therefor have evidence of location/ISP etc that im sure you can take to court if need be, though ipaddresses can be spoofed so that it give a hostname anyway (spoof clients ip with another real ip, like stealing someones ip address).

 

just a thought