0

i use the session hash code that represent the user_agent and user_ip

also i use session_set_cookie_params to set remember in login script .

How is my security status ? and it is not better to use setcookie instead set_session_cookie_params in remember me ? What features should I use for better security ?

sorry for my bad english

Ali Reza
  • 1
  • 2
    horrible security... consider a million AOL users, all coming from the same NAT gateway, all running the same version of the aol browser, all getting the exact **SAME** session hash... – Marc B Jul 18 '13 at 15:40
  • 2
    An IP address *does not* uniquely identify a user. – David Jul 18 '13 at 15:42
  • 1
    *How is my security status?* -- Bad. – Amal Murali Jul 18 '13 at 15:52
  • Second part ?? , how is the security situation? setcookie or set_session_cookie_params ? What is your suggestion for the improvement of security ? If I use a crypt for the session and will then be recorded in a database and for remember me also use a random crypt ، in this situation ، Now how about the security situation ? – Ali Reza Jul 18 '13 at 16:36

1 Answers1

1

As mentioned in the comments, you don't really have a secure setup going on. There are endless things to account for regarding security, but a good start would be to account for the following:

  • Session Hijacking / Fixation
  • SQL Injection
  • XSS (Cross-Server Scripting)
  • Brute Force attacks

A good beginner resource at first would be to check out phpacademy.

I've linked this a couple times also. I think it's a decent example of a PDO login system, which will help you avoid SQL Injection Attacks.

Assuming you have access to your php.ini file, you may want to look into what these commands do. They may or may not fit your needs, but they can be helpful to avoid Session Hijacking / Fixation by not allowing the PHPSESSID variable to be passed via URL and also making it inaccessible via JavaScript.

session.use_only_cookies = 1
session.cookie_httponly = 1
session.use_trans_sid = 0

Brute Force attacks can be mitigated by using proper hashing. To Look into bcrypt or scrypt for more detail. You can also check out this discussion for a little more information on this.

Community
  • 1
  • 1
Mattiavelli
  • 888
  • 2
  • 9
  • 22
  • I've already done all the things you said, I just want to know three things: 1 . for Remember me what function should be used for, Setcookie or session_set_cookie 2 .And that for security reasons, do not use the crypt for a cookie or to use 3 .I use the crypt for session and I generated the session to database or not . – Ali Reza Jul 18 '13 at 16:55
  • 1) Not that simple, see [this](http://stackoverflow.com/questions/244882/what-is-the-best-way-to-implement-remember-me-for-a-website). 2) The PHPSESSID generated is already a random set of numbers, so using crypt on it isn't really going to increase security much. Instead, look into SSL and create a "secure cookie" if there is a lot of sensitive data going on. I'm not sure I understand your 3rd point... If you're talking about storing the Session id in the database, then that's not necessary. The session id validates a user machine to the server. – Mattiavelli Jul 18 '13 at 17:09
  • for 3 ، i talk about session_hash ? – Ali Reza Jul 18 '13 at 17:12
  • If you use `session_start()`, it automatically generates the cookie named PHPSESSID with a high-entropy value. You don't have to create a session hash value yourself. – Mattiavelli Jul 18 '13 at 17:17
  • i convert phpsessid to my session_name . – Ali Reza Jul 18 '13 at 17:44
  • If you're creating variables you'll have to elaborate on their purpose. I imagine you mean you created a session variable like `$_SESSION['session_name']`. What do you use this variable for? – Mattiavelli Jul 18 '13 at 18:38
  • i mean session_name(); – Ali Reza Jul 19 '13 at 04:11