0

I am using PHP and Codeigniter to do this. Currently I am just saving a cookie to the user with their username and a $logged_in variable set to true. Then when they try to access a page, I check for the status of their $logged_in, and if they are, they're free to access.

It occurs to me that this may not be the safest way to go about this. Is there a better tactic I should be using?

Cameron
  • 86
  • 1
  • 2
  • 16
  • I second @E_p .. no need inventing something else without a specific use-case against session state. However, proper encryption and HMAC of data can result in safe storing of information client-side without the use of a session (this has been demonstrated by ViewState in ASP.NET) - but there is no trivial way to do this that I know of. –  Nov 23 '12 at 21:04

2 Answers2

3

It's not safe at all. Cookie is considered user input and it can't be trusted in any case.

Use sessions instead. Also you could use some sort of custom login encrypted code (I'd personally suggest SHA1) that is matched against the login code in the database and is refreshed every, let's say, 5 minutes.

Shoe
  • 74,840
  • 36
  • 166
  • 272
  • All forms generally come down to *using* a cookie (e.g. session or other nonce); the difference is in how the cookie is used. –  Nov 23 '12 at 21:02
  • This seems like a pain to manage .. what does this offer over existing session management? –  Nov 23 '12 at 21:07
  • @pst, PHP stores the session ID as a cookie and session are generally safer than cookies but yet not totally safe. The custom login code is an added security level. And after all not too hard to manage. [Read here for more information about how safe sessions are.](http://stackoverflow.com/questions/1181105/how-safe-are-php-session-variables) – Shoe Nov 23 '12 at 21:13
  • So, if someone *does* steal a session (or other cookie), how does this custom approach make it safer? –  Nov 23 '12 at 21:17
  • @pst, Let's make that the login code is refreshed per each page request (as the answer says in the link I posted). Let's say you manage to steal my login code, it will only work if the hacked user hasn't browsed a page in between. Otherwise it will be refreshed with a new one and the one stolen will be useless. Short story: you have to be lucky and fast in order to actually do some damage. – Shoe Nov 23 '12 at 22:23
  • @Jeffrey Not sure if you are aware of this, but CodeIgniter offers database sessions that provide better security than custom login code would, and is as easy as adding a database table and changing a few variables – William Lawn Stewart Nov 25 '12 at 02:09
0

CodeIgniter offers a nice solution to this problem - You can use Database Sessions.

With Database Sessions, all the data you put in a session is stored within your SQL database. The user gets a cookie with a unique session ID that changes on a regular basis. The session ID along with IP and User Agent is used to match up the user with their session data, thus making it impossible for users to tamper with their own session data, and very hard for them to hijack someone else's session.

You can read more about CodeIgniter Database Sessions in the CodeIgniter User Guide.

William Lawn Stewart
  • 1,205
  • 1
  • 12
  • 23