PDA

View Full Version : Security flaw in login?


ScottyOB
06-08-2007, 02:18 PM
In your login tutorial (that I very much loved by the way, I'm learning fast thanks.) I noticed that you used the users ID (an auto-number) for the session. Correct me if I'm wrong, but doesn't this store the value in a cookie on the users side, and can't these cookies be easily modified and changed by someone who knows what there doing?

I mean, lets say for instance, this style login script was powering a forum system. If a user decided to create a new user, he'd be given a cookie with the ID of his user, right? But now lets say, he changed that, to someone else's user ID... our login system would think that this is the other user, right? (when he's not, he's a hacker.)

Some light researching provides this http://en.wikipedia.org/wiki/Session_hijacking.

Instead of user ID, could we not generate a random number, and set that to the SESSION ID? And have a separate table with the ID numbers and the generated SESSION ID in them??? I'm not sure this is the most professional way of going about it, but I'd love to hear what is.

Thanks for your time,

Scott

davidj
06-08-2007, 03:48 PM
In your login tutorial (that I very much loved by the way, I'm learning fast thanks.) I noticed that you used the users ID (an auto-number) for the session. Correct me if I'm wrong, but doesn't this store the value in a cookie on the users side, and can't these cookies be easily modified and changed by someone who knows what there doing?


your not using cookies when using $_SESSION

they are stored on the server not the client machine

ScottyOB
06-09-2007, 01:42 AM
Oahhh, Thank you so much for clearing that up for me. So it's perfectly safe using this method?

davidj
06-09-2007, 06:24 AM
yes its safe