On Sat, 2007-02-24 at 20:05 -0800, benifactor wrote: > as of right now, when the user logs in, i have a cookie storing username... > then on all of the pages i need data i have it query the database and using > the cookie data to retrieve user information.. is there a more secure way to > do this?
This is horrible. It means if I know of any other user on your site and I think they may be logged in then I can change the username in my cookie and hijack their session. In fact, if you have any kind of system that exposes user input (such as a forum) then I can with great accuracy determine what users are logged in and are active thus making it trivial to hijack sessions. Instead of storing the username, create a unique ID (32 alphanumeric digits is common) that maps to the session data. This is what PHP native sessions do. Why not use PHP native sessions? They've done most of the work for you and they use cookies when it is detected that cookies are enabled. Cheers, Rob. -- .------------------------------------------------------------. | InterJinn Application Framework - http://www.interjinn.com | :------------------------------------------------------------: | An application and templating framework for PHP. Boasting | | a powerful, scalable system for accessing system services | | such as forms, properties, sessions, and caches. InterJinn | | also provides an extremely flexible architecture for | | creating re-usable components quickly and easily. | `------------------------------------------------------------' -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
