Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 3 of 3
  1. #1
    Regular Coder
    Join Date
    Dec 2002
    Location
    Seattle, WA
    Posts
    116
    Thanks
    1
    Thanked 0 Times in 0 Posts

    verifying authentication - are sessions best?

    My login scripts usually consist of an initial page that tests the user/pass against the database and creates a session with a variable called AUTH or something stored in it. On pages behind the login, the session is looked for and if that AUTH variable exists then the user is considered to be authenticated and is not redirected away from the page.

    My question is, is this the best way to be doing things? I'm concerned that somebody could create a session and as long as it contained a variable with the right name they would be able to act as if logged in. Or does that not work because the session would have had to be created by php in a specific way?

    What if the AUTH variable contained some kind of unique id that would have to be verified? Would that make me any more secure then just having the variable in the first place? Thanks for your input. I look forward to reading your opinions.

  • #2
    Senior Coder
    Join Date
    Aug 2003
    Location
    One step ahead of you.
    Posts
    2,815
    Thanks
    0
    Thanked 3 Times in 3 Posts
    You should check some other things not only the session id. You could check for the user agent and/or IP address to the values stored when the session was created. You shoyuld also make sure that a session expires when the user is inactive and after some time (to force re-authentication every n hours). You could regenerate the session id every page reqest so that an attacke would have only a short time span to "steal" the session.
    You should also search this forum as this was discussed a few times.
    I'm not sure if this was any help, but I hope it didn't make you stupider.

    Experience is something you get just after you really need it.
    PHP Installation Guide Feedback welcome.

  • #3
    Regular Coder
    Join Date
    Dec 2002
    Location
    Seattle, WA
    Posts
    116
    Thanks
    1
    Thanked 0 Times in 0 Posts
    Ahh, so I could store their IP when the session is created and make sure they are on the same one every time I check for the session. I think I can implement that one pretty easily and I'll look into the other suggestions.


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •