Another Access control theory

Not for 'how-to' coding questions but PHP theory instead, this forum is here for those of us who wish to learn about design aspects of programming with PHP.

Moderator: General Moderators

Post Reply
turbo2ltr
Forum Commoner
Posts: 29
Joined: Sun Jul 18, 2004 4:08 pm

Another Access control theory

Post by turbo2ltr »

Sorry, no neat flow charts here.. :)

My site really doesn't need crazy security. It's a site similar to epinons in functionality.

Right now, I store users in the db. When a user logs in, a random unique key is generated and the key is stored as a cookie as well as in the DB under the users "login status". If they have "remember me" checked, the cookie is good for a year, otherwise it's only good for the browser life.

I check the cookie key against the value in the DB any time the user tries to do something that needs auth (like post a review).

I would like to know what are the security holes in this model. The only thing I could think of is if someone stole the cookie, they could basically get the users who's cookie it is access level.

1: Is there a fix for this? I couldn't think of any without having something unique on the client side.
2: how big a whole is this? How easy is it to steal a cookie off someone's computer?
3: Are there any other holes?
4: How does this level of security compare to sessions? I couldn't think of any real difference since isn't the session ID stored in a cookie? (or worse yet, in the url..)


Thanks,
Mike
Last edited by turbo2ltr on Mon Jul 19, 2004 2:59 pm, edited 1 time in total.
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

yeah.. it's the same risk as sessions.. so secure enough for most things..
turbo2ltr
Forum Commoner
Posts: 29
Joined: Sun Jul 18, 2004 4:08 pm

Post by turbo2ltr »

Feyd, how do you get any work done since you are always here? :)

Thanks for the quick response..you didn't even give me tome to edit my post. :?
d3ad1ysp0rk
Forum Donator
Posts: 1661
Joined: Mon Oct 20, 2003 8:31 pm
Location: Maine, USA

Post by d3ad1ysp0rk »

turbo2ltr wrote:Feyd, how do you get any work done since you are always here? :)
He doesn't sleep.
Post Reply