Results 1 to 3 of 3
Aug 28, 2008, 19:22 #1
if($_SESSION['logged']) : Isn't that enough?
I have been reading about secure login through sessions. There are lots of advices about using tokens, hashes to store in either databases or as session variables, to make the login more secure.
I do not understand though, how those methods help, when an attacker gets an active/logged-in session id and use it as if he is the actual user associated with that active session.
So, lets say I have validated a user through a login form, and created a session. Then I assign just a variable logged=true in the session and check it for the rest of the visits from that user.
Now, please tell me how, adding tokens, hashes, re-checking the database etc. prevents an attacker using the active session id to enter.
I hope this is clear. I may be confused with what I read so far and don't see the point here.
Last edited by glenngould; Aug 28, 2008 at 20:19.
Aug 29, 2008, 01:00 #2
- Join Date
- Jul 2008
- 0 Post(s)
- 0 Thread(s)
This is really a large topic. There is no simple answer to your question. Implementation will dictate the benefits, if any, of the things you listed.
A web search for php security and similar terms will yield some info. A decent place to start is here http://phpsec.org/
Aug 29, 2008, 05:36 #3
well if we dont go to shared session variables danger of fixation and hijacking....
one problem i see with only that session['logg...] is
if you have different level of users who can do different task or access based on thier levels....
just in a plain way...