How secure are cookies as a way to stay logged in? I use them, but it seems to me that it is probably very easy to write a program that will alter cookies 1000 times a second till the hacker is recognized as logged in.
CSS Codes
Global Moderator
how secure are cookies?
How secure are cookies as a way to stay logged in? I use them, but it seems to me that it is probably very easy to write a program that will alter cookies 1000 times a second till the hacker is recognized as logged in.
Last edited by james438; 03-30-2010 at 05:23 AM.
To choose the lesser of two evils is still to choose evil. My personal site
Elite Coders
Using PHP Sessions is probably better. Harder to fake them and all that.
{CWoT - Riddle } {Freelance Copywriter} {Learn to Write}
Follow Me on Twitter: @InkingHubris
PHP Code:$result = mysql_query("SELECT finger FROM hand WHERE id=3");
echo $result;
Global Moderator
How do you get around the problem of staying logged in with Sessions?
To choose the lesser of two evils is still to choose evil. My personal site
global $Moderator;
generally speaking, sessions are gone after the visitor closes their browser. the server usually keeps session info around longer; this means that even though the browser has decided the session is gone, the server can still be tricked into thinking it's valid (if someone has stolen the session id, for example).
I don't know what the default session life is, but you can change it to whatever you please:Originally Posted by php.net
Global Moderator
Thanks for that. I'll try it out.
It is a bit hard to steal session ids, because they are processed server side. I can no more steal someone's session than I can their php code.
To choose the lesser of two evils is still to choose evil. My personal site
Global Moderator
Cookies are not secure. They are stored on the user's computer.
Sessions are also not secure in the sense that they are linked to a session id cookie.
So if you are worried about a brute force attack, then there's not much you can do either way.
Cookies are not in any way secure. Sessions are completely secure except when someone has the session id cookie. Also, the session DATA is ALWAYS secure, regardless of having the session id cookie-- the user gains access to being "logged in" for the session, but they do not gain direct access to the session data. In other words, session data is secure unless you output it to the user. You can theoretically store your mysql password in the session data and it will never be a security risk as long as you never echo $_SESSION['mysqlpw']. I'm not suggesting it, but there's no technical reason that's not secure. Your PHP script is the only way to access session data.
But that session id cookie will authenticate a computer as the correct computer, so that they can get whatever access your PHP script then allows to the session data.
Generally speaking, sessions are very secure and nothing to worry about.
One way to get around session concerns is to link the ID or security check to the IP address. I've done this and it works well and it is (I think) completely unhackable: you attach the IP address to the md5() check for password, or something along those lines, and there is no way that someone can hack around it by stealing the session id, etc.
Daniel - Freelance Web Design | <?php?> | <html>| español | Deutsch | italiano | português | català | un peu de français | some knowledge of several other languages: I can sometimes help translate here on DD | Linguistics Forum
global $Moderator;
A session's vulnerability -like many things- is in transit. If you're not using SSL, someone could "listen in" and grab the session ID. If you're allowing sessions to use GET, using the session id is very easy. You can set sessions to use cookies only, which is safest.
As djr says, the actual data is as secure as you make it - but a malicious user could do whatever the legitimate user was allowed to do (such as deleting messages, changing their password, etc.).
Read more here, and the beginning of this paper gives a good intro to session security issues.
Last edited by traq; 03-28-2010 at 12:59 AM.
Senior Coders
This only works for static IP's where as more then 70% of the world is on dynamic IP's so this would almost never work.One way to get around session concerns is to link the ID or security check to the IP address. I've done this and it works well and it is (I think) completely unhackable: you attach the IP address to the md5() check for password, or something along those lines, and there is no way that someone can hack around it by stealing the session id, etc.
-Ben -- THE DYNAMIC DRIVERS
My Links: My DD Profile||My Youtube Video Tutorials||DD Helping Coders||DD Coders In Training
I told my client to press F5, the client pressed F, then 5, *facepalm*
Global Moderator
What constitutes a dynamic IP address? I'll look this info up as well. djr33's idea sounds really good though.
To choose the lesser of two evils is still to choose evil. My personal site
Global Moderator
That shouldn't be a problem. Of course the login will shift if the user's IP changes, but dynamic IPs don't change often enough that it's a risk to make the IP remain the same. If the IP changes every couple days, then the user has to re-login after a couple days. That's all.This only works for static IP's where as more then 70% of the world is on dynamic IP's so this would almost never work.
Of course things can get messy if you are moving around a bit, such as with a laptop jumping from hotspot to hotspot, but while you are within a session, that should be fine. If you close the computer to move to another wifi hotspot, that's another session, really.
One problem might be with mobile devices because I don't know how IPs are distributed to, for example, 3G phones. That's something to consider.
However, no single session will be interrupted by a problematic number of "dynamic" IP changes.
Be sure that you don't require that the SAME IP ALWAYS be used, but instead, that within a SINGLE session, the same IP is used and if it changes that they have to reauthenticate.
Note: I used this system on a reasonably well used site and I never got complaints from users. It does mean that every time you go to the website (like each day) you may have to login again, but that is usually the case with sessions and sometimes with cookies. It's not a way to "keep me logged in forever" as some forums allow, but it is secure and will prevent session hacking.
Here's some basic code:
In the past when I did this I linked it to the password so it was something like md5($pw.$ip), but now that I think about it, that really isn't required, since you can store the IP directly into the $_SESSION array securely. You can also verify this against a database.PHP Code:session_start();
$_SESSION['verify'] = md5($_SERVER['REMOTE_ADDR']); //Use this line UPON LOGIN ONLY
if ($_SESSION['verify']!=$_SERVER['REMOTE_ADDR']) { session_destroy(); ////etc
A more creative approach would be to generate a session ID that is based on the IP address and user's info like password or username, but I'm not exactly sure how that would work.
Daniel - Freelance Web Design | <?php?> | <html>| español | Deutsch | italiano | português | català | un peu de français | some knowledge of several other languages: I can sometimes help translate here on DD | Linguistics Forum
james438 (03-30-2010)
Posting Permissions
Reply With Quote
Bookmarks