In my usual login systems with PHP, I use the $_SESSION variable.
When the user logs in, I give $_SESSION['user'] a value.
On a page, his login info is displayed only if $_SESSION['user'] has a value.
Is this secure enough? I see other login systems with extensive use of cookies with PHP to prevent "session stealing". What does that mean, how is it possible?
2006-06-25 22:12:42 · 3 answers · asked by alste 2 in Computers & Internet ➔ Programming & Design
Well, it's possible but I don't think is likely.
The PHP session management works like this:
1. A user enters into a page that has a session_start() command.
2. The systems checks if the user sent a cookie with a PHP_SESSION_ID, a long "unique" number that should identify the user session.
If it received one, then the server loads into the $_SESSION array the variables that where previously stored for that session.
If a session_id is not received, then one is generated, a session is started and the cookie is sent to the user so it will return it the next time it request something from the page.
What are the weak point of this?
Id numbers can't be tryully unique, they have a fixed lenght so eventually they could be repeated. Fortunatelly they use really big random numbers that shouldn't repeat in a million years ;).
Further, the system is smart enoguht to deactivate sessions when they've been idle for too much time (like 15 minutes). That way, if you try to fake a session id by creating a false cookie, you'll have to be very very very lucky in order to get the same id as a currently active session.
If you are worried about the security of your site, I don't think this part of the app is when you should look at. There are lots of weak points in web apps, and lots of know attacks that can be made.
I would recommend a book called "Essential PHP Security" that presents some nice problems and solutions to enhance the security of a site.
2006-07-02 04:30:59 · answer #1 · answered by mes 2 · 0⤊ 0⤋
Think of security as a virtual fence. Some animals can jump 3 foot high fences. Others may jump a 5 foot high fence occasionally. Some can tear down stranded barbed wire, others will be adequately handled with an electric fence. Point is this, computer security is like this, what you are protecting, what animals may try and jump this virtual fence and which ones can tear it out have to be weighed against the cost of the fence, time to build it and cost to maintain it. In other words, is the protection level you've selected appropriate to the threat to the data you can foresee? Don't count on a 1 foot high fence to keep in a Great Dane, but it may work fine for a two day old duck!
2006-06-26 11:49:30 · answer #2 · answered by griz803 5 · 0⤊ 0⤋
Yes but not to hackers. you should know there is nothing safe in this world of computers.
2006-06-26 05:16:59 · answer #3 · answered by Joe_Young 6 · 0⤊ 0⤋