I got a question about security and session cookies at the bottom of the site where I'm building I am using:
When a user is logged in correctly I give a cookie 'authentication' to the session. Also in this script I am using this cookie. ($ _SESSION ['Authentication'] === 'Fail') {anything else} and if ($ _SESSION ['authentication'] === 'pass') {anything else}
But now the question ... I feel feeling inseparable for safety reasons: not safe .... .... Is this a more secure way of whitelisting session cookies? Ore is this a complete safe way?
Advanced thnx
Understand the difference between PHP sessions and cookies.
Cookies are strings that are sent to the browser from the server, and that the browser must be sent back to the server at each subsequent request, until the cookie expires. For example, if the server header set-cookie: foo = abc123; Expiring = Wednesday, 9 June 2021 10:18:14 GMT , Request header cookie: foo = abc123 on every request by June 9, 2012.
On PHP script, $ _COOKIE ['foo'] will be abc123 .
PHP sessions are based on cookies, but they do not store values inside a cookie.
If you store $ _ session ['foo'] = 'abc123' , then the server foo = abc123 as a cookie to the customer, rather on the server Archived Sessions will be created and the cookie will be sent as session ID only.
So, when you call, PHP will generate a new session on the server with an auto-generated ID, (if you are interested, you can read the ID) then this code (automatically) A code will be sent as phpsessid = PHP_SESSION_ID_HERE . All this is done automatically by PHP, and you do not have to worry about it.
At the end of this story, yes, because your code is safe, it is because you have a cookie certified = pass (which is unsafe because customers easily overwrite cookies Can not be set), but you instead store the PHP session and store that value in the client only sees session IDs.
PS: Instead of simply storing Boolean 'authenticated', you want to store more useful information in the session, such as the User ID of a certified user in the database or otherwise, otherwise it can be meaningful.
PS2: PHP sessions have legacy support for browsers, who do not have cookies enabled, but meaningless in 2015 (I wonder if anybody disables cookies! - If you do this , 90% of websites will stop working). As a result, you should ensure that you have these two UI settings: (Docs :)
session.use_cookies 1 session.use_only_cookies 1 
No comments:
Post a Comment