I'm still new to PHP, but a lot of the things ive read suggest using Session Variables to check whether or not the user is logged in. IE I would add an includes.php file that would checked if $_SESSION['login'] == true but seeing as how Session variables are just cookies, someone could easily set that themselves right? What is another way to go about checked to see if a user has been authenticated?
Asked
Active
Viewed 2,886 times
1
JosephD
- 321
- 1
- 8
- 12
-
1Read the following: http://stackoverflow.com/questions/1221447/what-do-i-need-to-store-in-the-php-session-when-user-logged-in/1225668#1225668 – Andrew Moore Jun 29 '11 at 11:19
4 Answers
2
Sessions are a lot different than cookies. All the data is stored on the server in a session file, the cookie itself only stores the browser identifier to match against the right session file on the server. One way or the other you will need cookies, so I believe its pretty safe to say that you would be safe using sessions for checking authenticated users.
Sabeen Malik
- 10,816
- 4
- 33
- 50
-
1
-
@Michael haha yeah, i just edited and changed to make it less confusing :) – Sabeen Malik Jun 26 '11 at 20:34
1
Session variables are not just cookies. The client browser recieves a cookie which attaches it to a session on the server, but only the server can set and read variables from $_SESSION.
While a client could pass any information they wanted to the server with a cookie, the session ID is difficult (though not impossible) to guess, making it difficult to hijack another user's session.
A common way to protect against hijacking a session is to store in $_SESSION a fingerprint of the user's IP address, user-agent string, or some other identifiable string. This could also be a random token string you generate and send down to the client while also storing in $_SESSION. On the next form post, you expect the token to be sent in a hidden input and match it against the one you've stored on the server.
Michael Berkowski
- 267,341
- 46
- 444
- 390
1
but seeing as how Session variables are just cookies, someone could easily set that themselves right?
Wrong! A session cookie will contain just the token of the session, the session itself and its values will reside on the server. The token value, which the cookie will have, would be used to locate the session.
What is another way to go about checked to see if a user has been authenticated?
Store authentication in a database.
Shef
- 44,808
- 15
- 79
- 90
0
If you authenticate over HTTPS the cookie will be secured. Also, when you set a session you're handling the client a cookie with a random session UUID that will translate to a key value store on your server, a client can't just set "login=true" and get access.
David
- 728
- 1
- 7
- 11
-
1HTTPS only secures the data send via a login-form(or any other form). It does not secure the way a user provides his session identifier. – fyr Jun 26 '11 at 20:41