logo-dw

Go Back   Dreamweaver Club Forums > Dreamweaver forums > Video Tutorials
Register FAQ Members List Search Today's Posts Mark Forums Read

Reply
 
Thread Tools Display Modes
Old 06-08-2007, 02:18 PM   #1
ScottyOB
 
Join Date: Jun 2007
Location: Sydney, Australia
Posts: 7
Exclamation Security flaw in login?

In your login tutorial (that I very much loved by the way, I'm learning fast thanks.) I noticed that you used the users ID (an auto-number) for the session. Correct me if I'm wrong, but doesn't this store the value in a cookie on the users side, and can't these cookies be easily modified and changed by someone who knows what there doing?

I mean, lets say for instance, this style login script was powering a forum system. If a user decided to create a new user, he'd be given a cookie with the ID of his user, right? But now lets say, he changed that, to someone else's user ID... our login system would think that this is the other user, right? (when he's not, he's a hacker.)

Some light researching provides this http://en.wikipedia.org/wiki/Session_hijacking.

Instead of user ID, could we not generate a random number, and set that to the SESSION ID? And have a separate table with the ID numbers and the generated SESSION ID in them??? I'm not sure this is the most professional way of going about it, but I'd love to hear what is.

Thanks for your time,

Scott
ScottyOB is offline   Reply With Quote
Old 06-08-2007, 03:48 PM   #2
davidj
davidj's Avatar
 
Join Date: Sep 2005
Location: The Toon (newcastle upon Tyne)
Posts: 8,256
Default

Quote:
In your login tutorial (that I very much loved by the way, I'm learning fast thanks.) I noticed that you used the users ID (an auto-number) for the session. Correct me if I'm wrong, but doesn't this store the value in a cookie on the users side, and can't these cookies be easily modified and changed by someone who knows what there doing?
your not using cookies when using $_SESSION

they are stored on the server not the client machine
__________________
Would you like to learn PHP from me? Check out -> www.codezenith.co.uk
davidj is offline   Reply With Quote
Old 06-09-2007, 01:42 AM   #3
ScottyOB
 
Join Date: Jun 2007
Location: Sydney, Australia
Posts: 7
Default

Oahhh, Thank you so much for clearing that up for me. So it's perfectly safe using this method?
ScottyOB is offline   Reply With Quote
Old 06-09-2007, 06:24 AM   #4
davidj
davidj's Avatar
 
Join Date: Sep 2005
Location: The Toon (newcastle upon Tyne)
Posts: 8,256
Default

yes its safe
__________________
Would you like to learn PHP from me? Check out -> www.codezenith.co.uk
davidj is offline   Reply With Quote
Reply


Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT. The time now is 10:38 PM.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2017, vBulletin Solutions, Inc.
Copyright 2006 DreamweaverClub.com