1

So I have been looking into improving my sessions with clients and have a few questions:

-Does SESSIONS require to be somewhat cryptic? Why / Why not?

-If I am able to pick up someone else's session id, is it possible to take over that person's session and browse as the client?

-If I have a session("email+pass+salt") but the current user is logged onto two different devices like his laptop at home and his phone at work. Will the client be able to navigate without any interruption from one to the other?

-Is it okay if I hash the session as "email+pass+salt+timestamp+ipadd"? Is that too much?

I tried looking for standard ways of doing this but hit a brick wall with many people showing VERY DIFFERENT examples.

BlackBeltScripting
  • 187
  • 2
  • 13
  • 1, ok, 2, no, 3, no 4,no, 5,no, 6, ok. you need to do some more research here. –  Sep 16 '13 at 21:40
  • @Dagon, Can you guide me to a proper place where I can learn more? I've been hitting brick walls here. – BlackBeltScripting Sep 16 '13 at 21:44
  • Why not just put a session cookie on the user's machine, and have the cookie expire in 2 weeks? The confidential stuff is left on the server side, and the session cookie is determined by PHP. If it is "mission critical" however, 2 weeks is a long time for a brute force attack. – Sablefoste Sep 16 '13 at 21:47
  • A session will only last in that "session" i.e. until the browser is closed. If you want it to last for 2 weeks, then you have to use a cookie. `$expire = time() + 60*60*24*14; setcookie('test','value', $expire);` The value you pass through can be any string, so if you want to hash it then that would work. But not quite sure why you would. – Source Sep 16 '13 at 21:49
  • Right, I'm confusing server sessions with cookies. It HAS been a while. What about making the SESSION somewhat cryptic. Dagon says 'no'. Can anyone explain as to WHY this not necessary? – BlackBeltScripting Sep 16 '13 at 22:10
  • session data is stored on the server, so no need to encrypt. –  Sep 16 '13 at 22:12
  • if your concern is session hijacking you should read this: http://stackoverflow.com/questions/5081025/php-session-fixation-hijacking if your site security needs are 'average' you should use sessions as they are built in to php and move on to other things –  Sep 16 '13 at 22:24

0 Answers0