View Full Version : verifying authentication - are sessions best?

09-24-2005, 04:13 PM
My login scripts usually consist of an initial page that tests the user/pass against the database and creates a session with a variable called AUTH or something stored in it. On pages behind the login, the session is looked for and if that AUTH variable exists then the user is considered to be authenticated and is not redirected away from the page.

My question is, is this the best way to be doing things? I'm concerned that somebody could create a session and as long as it contained a variable with the right name they would be able to act as if logged in. Or does that not work because the session would have had to be created by php in a specific way?

What if the AUTH variable contained some kind of unique id that would have to be verified? Would that make me any more secure then just having the variable in the first place? Thanks for your input. I look forward to reading your opinions.

09-24-2005, 04:46 PM
You should check some other things not only the session id. You could check for the user agent and/or IP address to the values stored when the session was created. You shoyuld also make sure that a session expires when the user is inactive and after some time (to force re-authentication every n hours). You could regenerate the session id every page reqest so that an attacke would have only a short time span to "steal" the session.
You should also search this forum as this was discussed a few times.

09-24-2005, 07:10 PM
Ahh, so I could store their IP when the session is created and make sure they are on the same one every time I check for the session. I think I can implement that one pretty easily and I'll look into the other suggestions.