Hello all --
I'm new to PHP and web development. I'm creating a website that allows users to create accounts/login. Post authentication, the user is redirected to their personalized dashboard. I read a few tutorials regarding handling authentication and every tutorial suggests to, upon successfully authenticating, store a cookie with the users' id from the database. I have everything working properly, but I have a pretty strong security background and I know that this cannot be the only method of securing member pages (e.g., I opened the page in Firefox, edited the cookie and inserted another member ID and can break the entire security paradigm).
I was thinking of a scheme where a random number, r, is generated when a user logs in, and that number is hashed, c, and stored in a second cookie. R could then be stored in a database and each member-only page can get the UserID in a session database, and then check if the SHA1(r) in the database matches the value in the cookie, c.
Is this the right approach? Either way, could you point me in the direction of a tutorial that addresses security past user_id's in cookies?
Also, if this is the right approach, isn't that a lot of overhead? Two database lookups for each page visit?
Thanks!
authentication/modifying cookies
Moderator: General Moderators
Re: authentication/modifying cookies
What you describe is roughly what the PHP session system does, it uses a random session id and a server-side storage of related data (by default implemented as a file storage, has API to store it in a database, etc.). The user id is kept in the session (server side), not the cookie. As such, simple cookie manipulation like what you describe will not be a vulnerability.
Storing data in cookies in a tamper-proof manner is possible (although not with the scheme you describe). Such a system would lack the "secrecy" property the session system has, and there are other caveats which should be taken in regard, so I recommend reading up on sessions and using them instead.
P.S. I don't mean this as an insult (although I'm aware it sounds somewhat like one, hence this apology): I'm curious about your security background and how you got it without dealing with programming as well. Pentesting courses, something like that? It's great that you try "the other side" as well, it would increase your knowledge horizons a great deal. Cheers and keep it up
Storing data in cookies in a tamper-proof manner is possible (although not with the scheme you describe). Such a system would lack the "secrecy" property the session system has, and there are other caveats which should be taken in regard, so I recommend reading up on sessions and using them instead.
P.S. I don't mean this as an insult (although I'm aware it sounds somewhat like one, hence this apology): I'm curious about your security background and how you got it without dealing with programming as well. Pentesting courses, something like that? It's great that you try "the other side" as well, it would increase your knowledge horizons a great deal. Cheers and keep it up
Re: authentication/modifying cookies
Hi Mordred, thanks for the advice. I'll look further into the details behind PHP sessions. No worries about the inquiry. I guess I sold myself short
I have a B.S./M.S. in computer science, so I have about 8 years of programming experience (Java, C suite, Perl, Python, SQL, etc). I suppose I meant to say that I'm quite new to web programming (PHP/Coldfusion). I was very focused on applied math/computational theory during undergrad and security in grad, with an emphasis on enterprise development post-grad school. I must say, I wish I got into web application development a long time ago. It's a lot of fun and super useful.
Cheers!
Cheers!