SitePoint Sponsor

User Tag List

Results 1 to 3 of 3
  1. #1
    SitePoint Guru glenngould's Avatar
    Join Date
    Nov 2005
    Posts
    661
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    if($_SESSION['logged']) : Isn't that enough?

    I have been reading about secure login through sessions. There are lots of advices about using tokens, hashes to store in either databases or as session variables, to make the login more secure.

    I do not understand though, how those methods help, when an attacker gets an active/logged-in session id and use it as if he is the actual user associated with that active session.

    So, lets say I have validated a user through a login form, and created a session. Then I assign just a variable logged=true in the session and check it for the rest of the visits from that user.

    Now, please tell me how, adding tokens, hashes, re-checking the database etc. prevents an attacker using the active session id to enter.

    I hope this is clear. I may be confused with what I read so far and don't see the point here.
    Last edited by glenngould; Aug 28, 2008 at 19:19.

  2. #2
    SitePoint Wizard bronze trophy
    Join Date
    Jul 2008
    Posts
    5,757
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    This is really a large topic. There is no simple answer to your question. Implementation will dictate the benefits, if any, of the things you listed.

    A web search for php security and similar terms will yield some info. A decent place to start is here http://phpsec.org/

  3. #3
    SitePoint Wizard frank1's Avatar
    Join Date
    Oct 2005
    Posts
    1,392
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    well if we dont go to shared session variables danger of fixation and hijacking....
    one problem i see with only that session['logg...] is
    if you have different level of users who can do different task or access based on thier levels....

    just in a plain way...


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •