Using sessions like cookies

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
Atomiku
Forum Newbie
Posts: 3
Joined: Thu Jun 23, 2005 4:48 pm

Using sessions like cookies

Post by Atomiku »

There is one thing that has been bugging me recently, Its that when my code has created a session, The session gets destroyed when the user closes the browser... I HAVE managed to find away around it, But it does have major flaws...


Basicly, My idea is to store the users IP when he/she logs in. Then every time they goto a page on my site, It checks for their ip stored on login then recreates the session.

Obviously, You can all see what could go wrong if two people have the same IP (If they are on a LAN, For instance)

So my question is... Is there any way that I can get like some unique info about the computer that the user is on then use that instead of the ip?

Thanks in advance, Matt.
User avatar
John Cartwright
Site Admin
Posts: 11470
Joined: Tue Dec 23, 2003 2:10 am
Location: Toronto
Contact:

Post by John Cartwright »

Store their IP, the current time and a random value into 1 string. Then then hash that string. Store that hash in a cookie along with the IP. Insert the same information into the database.

When they return to your site, check against the cookie value to the database, making sure that the IP's are once again the same aswell as the hash.

I would recommend using feyd's sha256 found @ viewtopic.php?t=32334
Atomiku
Forum Newbie
Posts: 3
Joined: Thu Jun 23, 2005 4:48 pm

Post by Atomiku »

Wow :o That was fast
Thanks :)
User avatar
patrikG
DevNet Master
Posts: 4235
Joined: Thu Aug 15, 2002 5:53 am
Location: Sussex, UK

Post by patrikG »

Doesn't work for AOL users though. They have a rotating IP almost every HTTP request. Rather look into storing sessions in the database (see session_handler in the PHP manual) and save that session_id in a persitent cookie (hashed or encrypted). If you want a user to "remain logged in", store their username and session_id in their cookie (you would still want a secure login when users want to use for forums or ecommerce (see how Amazon handles it))
Post Reply