SitePoint Sponsor

User Tag List

Results 1 to 6 of 6
  1. #1
    SitePoint Guru r2d2's Avatar
    Join Date
    Dec 2003
    Location
    In my van, fool!
    Posts
    646
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Securing login system

    On a new site I am working on I need to have a login system. At the moment I am checking people are logged in by storing cookies on their system. I then use these cookies to check who they are logged in as on other pages in the system.

    Whats the best way to make sure its impossible to just edit the cookies so you are effectively logged in as someone else? Vbulletin seems to store the md5 of the users password. I guess this would be the best way?

    I was storing the userid, but realised this is not a very secure way to identify the user!

  2. #2
    SitePoint Enthusiast zeedoo's Avatar
    Join Date
    Jan 2002
    Location
    India
    Posts
    87
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    cookies can be copied and moved to another system, it is always advisable you use php sessions also along with cookies ...

  3. #3
    SitePoint Addict
    Join Date
    Dec 2003
    Location
    South Korea
    Posts
    232
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    you can edit cookies and stuff? I never knew that.. and how do people even do this ?

  4. #4
    SitePoint Guru r2d2's Avatar
    Join Date
    Dec 2003
    Location
    In my van, fool!
    Posts
    646
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    sessions require a sessionid in the URL though dont they? I still want SEs to index my site.

  5. #5
    ********* Member website's Avatar
    Join Date
    Oct 2002
    Location
    Iceland
    Posts
    1,238
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    tommychi, yes, cookies can be altered, even though IE doesn't provide a nice interface to it, it doesn't mean it can't be done . As a general rule, everything in computers can be faked, its just matter of knowing how to do it.

    PHP sessions do not require session id in the url, they offer it as a possibility so that if your user doesn't support cookies, the session id is stored in the url. This is a rather risky thing to enable and I would advise you to turn it off. To turn of session ids being stored in the url use something like this:
    PHP Code:
    ini_set('session.use_only_cookies'1); 
    I don't know how vBulletin does it but I assume they use their own custom session "manager", not the php $_SESSION array, but rather save sessions in the database. Although I know you can "modify" the $_SESSION array to use the database I've seldom seen it done.
    Custom session "manager" is often preferred if you have big/important site, since it offers more control over sessions. Example of how it would be better to use custom sessions is if you logged in to some public computer and forgot to log out, you could just go to the database and delete the session (or make a nice php interface to do it ).

    Anyway, yes, simply storing the user id in the a cookie is not very secure, sessions (php or your own) are "teh sh1t"
    - website

  6. #6
    SitePoint Guru r2d2's Avatar
    Join Date
    Dec 2003
    Location
    In my van, fool!
    Posts
    646
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Thanks for that comprehensive answer website.

    I am using ini_set('session.use_only_cookies', 1); and am actually using sessions obviously, despite saying I didnt want to

    Think I need to have a read about sessions and cookies.


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •