0

Currently a friend of mine and myself are working on a site together. We have our login system down, but are using sessions. I, myself, have always used cookies for logins, though my friend prefers sessions. I keep telling him we should have two or more sessions we can compare with the database to make sure it's the accurate user, and not someone who somehow scammed the ID.

For example:

$_SESSION['id'] = $YourId;
$_SESSION['salt'] = $SomethingElseTheDatabaseHas;

This making it more secure instead of just one session that the database can compare with.

Jake
  • 1,469
  • 4
  • 19
  • 40
  • http://stackoverflow.com/questions/328/php-session-security. I don't follow what you're saying about having 2 sessions. If you're worried about people 'scamming the id' read up on [session fixation](https://www.owasp.org/index.php/Session_fixation). – Mike B Aug 28 '12 at 02:00
  • See also: http://stackoverflow.com/questions/244882/what-is-the-best-way-to-implement-remember-me-for-a-website – Mike Aug 28 '12 at 02:02
  • Essentially, say you're using cookies. If you had one cookie which is your ID, then that's simple and easy enough to change. So you have two or more cookies to compare with the database to be secure – Jake Aug 28 '12 at 02:03
  • 1
    Why not 47 cookies? The odds of someone guessing a 128-bit hexadecimal number (or however many bits it is) are akin to you winning the lottery. In ten states. On the same day. For a week straight. <-- not actual math. You should be worried about XSS, not creating a false sense of security. – Lusitanian Aug 28 '12 at 02:07
  • Put IP, client browser to SESSION variable and compare with user. Simple as that – Peter Aug 28 '12 at 02:29

1 Answers1

8

Using multiple session variable to store information does nothing for security since the session data is stored server-side. The only thing that the client knows about the session is the session ID that it stores in a cookie. The server uses the session id to lookup data for the user. If you're using a hash stored in a cookie to identify users, you might as well use sessions since that basically does the same thing, but makes working with a user's data much easier.

I'm not sure exactly what you mean by using cookies to store the data, but if you mean that the client would have a cookie with their user id that the server uses for authentication, you should rewrite that immediately since it basically allows the user to be whomever they want.

G-Nugget
  • 8,666
  • 1
  • 24
  • 31