SitePoint Sponsor

User Tag List

Results 1 to 6 of 6

Thread: Script Security

  1. #1
    Put your best practices away. The New Guy's Avatar
    Join Date
    Sep 2002
    Location
    Canada
    Posts
    2,087
    Mentioned
    1 Post(s)
    Tagged
    1 Thread(s)

    Script Security

    I am currently making a new script with a comment system. Now I have a post comment script, which checks cookie/session, if the cookie/session exists, it will produce a form, that will allow the person to post of comment. If session/cookie is not found, a different form which they will have to enter their login information to post.

    Currently when I check the cookie, I just check the username. Make sure the user exists, and then they can post. I know this is flaw, hence this post.

    What sort of info should I put in cookie/session to verify the user, if in fact that user.

    Also any other tips for this sort of thing would be helpful.
    "A nerd who gets contacts
    and a trendy hair cut is still a nerd"

    - Stephen Colbert on Apple Users

  2. #2
    ********* wombat firepages's Avatar
    Join Date
    Jul 2000
    Location
    Perth Australia
    Posts
    1,717
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    If you are checking a $_SESSION variable that holds the user ID or name then short of someone hijacking a session (which is not impossible but not worth the effort for comment systems etc) then you should be fine.

    If you also keep a record of the user IP when you start the user session (and check it against the $_SESSION when posting) this can help prevent simple session hijacking.

  3. #3
    Put your best practices away. The New Guy's Avatar
    Join Date
    Sep 2002
    Location
    Canada
    Posts
    2,087
    Mentioned
    1 Post(s)
    Tagged
    1 Thread(s)
    Thanks, what about cookies?
    "A nerd who gets contacts
    and a trendy hair cut is still a nerd"

    - Stephen Colbert on Apple Users

  4. #4
    ********* wombat firepages's Avatar
    Join Date
    Jul 2000
    Location
    Perth Australia
    Posts
    1,717
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    If you mean using cookies so that the user does not have to log-in on thier next visit... then whatever you store in the cookie needs to be hashed etc , i.e. store the MD5() of your password in the cookie not the password itself , storing the usename or ID in the cookie means that anyone can manipulate thier own cookies to log in as somebody else by using a username or ID which will be known or can be guessed , passwords not so , though of course if a person gets hold of somebody else's cookie... then the password can be brute forced , thats why its not a good idea to store passwords in any form in cookies for anything more important than a forum or guestbook etc.

  5. #5
    Put your best practices away. The New Guy's Avatar
    Join Date
    Sep 2002
    Location
    Canada
    Posts
    2,087
    Mentioned
    1 Post(s)
    Tagged
    1 Thread(s)
    For something like this, would it be easier to just use sessions?
    "A nerd who gets contacts
    and a trendy hair cut is still a nerd"

    - Stephen Colbert on Apple Users

  6. #6
    ********* wombat firepages's Avatar
    Join Date
    Jul 2000
    Location
    Perth Australia
    Posts
    1,717
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    up to you, if you want the login's to persist accross several visits then you need to use cookies (session cookies can be given an extended lifetime but thats a risk in itself) , else if you are happy to let the user login on each visit use sessions , I would mostly go for the latter , of course on forums etc that gets a pain for the user


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •