That was a really good idea djr33. I am using your suggestion and have stopped using cookies as a way to detect whether a person is logged in or not.
What do you do about shared networks where multiple computers use the same ipaddress?
Printable View
That was a really good idea djr33. I am using your suggestion and have stopped using cookies as a way to detect whether a person is logged in or not.
What do you do about shared networks where multiple computers use the same ipaddress?
I am now using cookies in addition to djr33's suggestion. I feel this is the most secure. Here is how it works:
When a user (admin) logs in for the first time there is a password form that needs to be filled out. Upon entering the correct password a 10 year cookie is created and an entry is stored in the database of the ip address of the user that entered the correct password. Only one ip address in the database is allowed to avoid being logged in as the same person at more than one computer.
If the admin then closes the browser and opens it again the php will match the $_SERVER['REMOTE_ADDR']; against the entry in the database. If there is a match then a session is created. The cookie is used as a safeguard against others on a different computer, but using the same ip address.
Just to be clear, if a person moves or decides to log in as admin at a neighbor's computer as admin then that ip address will replace the current entry in the database for the ip address thus causing the admin to need to re-login when he goes back home to login.
If a person logs out the cookie is destroyed and the databse entry for the ip address is erased.
If the password is altered then the other person with the same ip address and valid cookie suddenly has a valid ip address and an invalid cookie and is thus logged out.
It's possible to approach it that way though generally it's better to use sessions with the IP method, since that will be smoother.
As for shared networks, I've never really thought/cared about it. If you are having your account stolen by someone sharing your internet connection, you've got bigger problems than what the website does for security.
Plus, there's no real way to do it that will be secured if a cookie is stolen and it is used on the same network. One possibility is to then use other identifying information such as the browser/OS type, etc., though that can get messy and probably won't quantitatively help that much.
I highly doubt any of my account info has been stolen, but I suppose you can never tell for sure ;). The reason I am looking into it is that I live near a college and use their free internet access (yes, it is legal) and it appears that a few of the ip addresses are the same; my ps3, which uses wifi and my personal PC. I did not set up the wifi, so I do not know how the PS3 has the same ip address.
Anyway, that is why I am using your method plus another identifying feature such as a cookie. I like your idea about using something else such as screen resolution, OS type, or browser version as very few people would have that combination or use Opera like I do.
EDIT: I also added cookies again as it required editing only 2 pages: the login page and the database include().
EDIT: Now that I think about it Sessions are not really needed or in any way used; just the user's ip address and cookie. If you log in as admin then the ip address stored in the database is updated. If I forget the password or through poor coding create a junk password and lock myself out I can always use my ftp account to fix things or alter the data directly via phpmyadmin.
hey guys.. in sessions putting other variables in sessions will make the session even harder to crack right.. example in a session class
am i correct??PHP Code:echo $ex->session["s_{$ex->session['s_id']}_user"];
Looking at the bit of code you posted, I have no real idea what it is you're doing (I'd need to know what the class looks like/does).Quote:
Originally Posted by n1tr0b
After reading your post, I'm not sure what, exactly, you're trying to do, or what you're trying to ask.
(What "other variables"? And why would anything you store inside a session make the session harder to "crack"?)
Maybe you can explain a bit?
No. It's not harder to crack. Sessions are just like other variables: they are data stored on the server. Additionally, if you have a session class, it won't be available from one page load to another.
My advice is that you stop trying to out think the system and instead learn to work with/within it.
There are possible security issues, but using awkward ways like this won't fix them. If you want real security, read a book about security issues, do what you can (such as using IP verification, but make sure it's the smartest way), then use https and other outside methods that secure it.