Ok, for my new site security I am using SSL and cookies with the "Basic Authentication" ($PHP_AUTH_USER etc..).
I have made it so the pages must be under a secure connection, and the cookies (user, and pass) are sent over only a secure connection ("security:1") encrypted in md5.
Then on the load of each page the user and password (encrypted) is checked against the one in the database.
I think this is about as secure as it gets... (over the internet with PHP) but I am not positive as the reason of typing this out.
Please give you input.. thx.
Cookies Security
Moderator: General Moderators
Cookies can be obtained with cross-site scripting tricks - not necessarily from your site but from another one.
Also, users on office networks are often vulenerable to various viruses which will sniff around on machines on the network, helping themselves to whatever they can find. How many networks are set up securely?
I use a system of temporary cookies with random names: each time a user logs in, they get a two-hour (or whatever you need) time limited cookie with a randomly generated name. This is stored in the user table and checked as necessary with each page load. Since it's not a permanent cookie, there isn't the same risk of cookie theft.
I don't think there is any system that can be made 100% secure, but avoiding the use of permanent cookies might be worth looking at.
I've a funny feeling that's just re-inventing the sessions wheel but I haven't got round to looking at sessions yet.
Also, users on office networks are often vulenerable to various viruses which will sniff around on machines on the network, helping themselves to whatever they can find. How many networks are set up securely?
I use a system of temporary cookies with random names: each time a user logs in, they get a two-hour (or whatever you need) time limited cookie with a randomly generated name. This is stored in the user table and checked as necessary with each page load. Since it's not a permanent cookie, there isn't the same risk of cookie theft.
I don't think there is any system that can be made 100% secure, but avoiding the use of permanent cookies might be worth looking at.
I've a funny feeling that's just re-inventing the sessions wheel but I haven't got round to looking at sessions yet.
Yeah I see what you get at... but what I want to know is how you can check a cookie without knowing its name? I don't quite understand.
Also, I have browsed over sessions but the first things I have read are that they are not totally secure. Maybe its just how you use them.
I am just deciding weather sessions, or possible your way would work better. By the way, I am using this security for an admin page to update news on a website.
Also, playing around with it is just kinda fun too.. anyway, if I do start some small webdesign buisiness I will want to know what I am doing
Also, I have browsed over sessions but the first things I have read are that they are not totally secure. Maybe its just how you use them.
I am just deciding weather sessions, or possible your way would work better. By the way, I am using this security for an admin page to update news on a website.
Also, playing around with it is just kinda fun too.. anyway, if I do start some small webdesign buisiness I will want to know what I am doing
Last edited by net7 on Fri Mar 21, 2003 1:45 pm, edited 1 time in total.
The cookie name is stored in the database - make a new column in your users table. The user must submit a valid name & pass to get a new cookie, and the new randomly generated cookie name overwrites the old name stored in the database.
This method has the overhead of a SELECT query to get the cookie name whenever you need to check the values stored in it.
The shorter the cookie time the more secure it is, but you don't want it to time out during a "session". Two hours? Something like that.
For an admin area for a news site, I guess medium level security is adequate. Permanent cookies could automatically log you in and so would be more convenient. For higher security needs, like an online shop, I'd be pulling out all the stops though.
Sorry I can't give you any advice on using sessions.
This method has the overhead of a SELECT query to get the cookie name whenever you need to check the values stored in it.
The shorter the cookie time the more secure it is, but you don't want it to time out during a "session". Two hours? Something like that.
For an admin area for a news site, I guess medium level security is adequate. Permanent cookies could automatically log you in and so would be more convenient. For higher security needs, like an online shop, I'd be pulling out all the stops though.
Sorry I can't give you any advice on using sessions.