authentication/modifying cookies
Posted: Thu Mar 17, 2011 11:31 am
Hello all --
I'm new to PHP and web development. I'm creating a website that allows users to create accounts/login. Post authentication, the user is redirected to their personalized dashboard. I read a few tutorials regarding handling authentication and every tutorial suggests to, upon successfully authenticating, store a cookie with the users' id from the database. I have everything working properly, but I have a pretty strong security background and I know that this cannot be the only method of securing member pages (e.g., I opened the page in Firefox, edited the cookie and inserted another member ID and can break the entire security paradigm).
I was thinking of a scheme where a random number, r, is generated when a user logs in, and that number is hashed, c, and stored in a second cookie. R could then be stored in a database and each member-only page can get the UserID in a session database, and then check if the SHA1(r) in the database matches the value in the cookie, c.
Is this the right approach? Either way, could you point me in the direction of a tutorial that addresses security past user_id's in cookies?
Also, if this is the right approach, isn't that a lot of overhead? Two database lookups for each page visit?
Thanks!
I'm new to PHP and web development. I'm creating a website that allows users to create accounts/login. Post authentication, the user is redirected to their personalized dashboard. I read a few tutorials regarding handling authentication and every tutorial suggests to, upon successfully authenticating, store a cookie with the users' id from the database. I have everything working properly, but I have a pretty strong security background and I know that this cannot be the only method of securing member pages (e.g., I opened the page in Firefox, edited the cookie and inserted another member ID and can break the entire security paradigm).
I was thinking of a scheme where a random number, r, is generated when a user logs in, and that number is hashed, c, and stored in a second cookie. R could then be stored in a database and each member-only page can get the UserID in a session database, and then check if the SHA1(r) in the database matches the value in the cookie, c.
Is this the right approach? Either way, could you point me in the direction of a tutorial that addresses security past user_id's in cookies?
Also, if this is the right approach, isn't that a lot of overhead? Two database lookups for each page visit?
Thanks!