switch from cookies to sessions

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
User avatar
s.dot
Tranquility In Moderation
Posts: 5001
Joined: Sun Feb 06, 2005 7:18 pm
Location: Indiana

switch from cookies to sessions

Post by s.dot »

Ok, recently ive had a lot of security issues, and it seems all could be fixed (or at least upgraded in security) by switching to sessions. The only thing I use cookies for at the moment, is storing the username, and checking to see if it is set to allow users to do specific actions.

I've never dealt with sessions much.

if I change all instances of $_COOKIE['username'] to $_SESSION['username'] and all instances of isset($_cookie['username']) to isset($_SESSION['username']) and throw a session_start() at the top of every page, would this effectively switch me over to using sessions? or is there other areas that I need to look at as well?
Set Search Time - A google chrome extension. When you search only results from the past year (or set time period) are displayed. Helps tremendously when using new technologies to avoid outdated results.
User avatar
Ambush Commander
DevNet Master
Posts: 3698
Joined: Mon Oct 25, 2004 9:29 pm
Location: New Jersey, US

Post by Ambush Commander »

I can see how...

While I'd advocate scrapping your authentication code entirely, I think it would work. Just make sure you're able to roll back in case something breaks.
User avatar
s.dot
Tranquility In Moderation
Posts: 5001
Joined: Sun Feb 06, 2005 7:18 pm
Location: Indiana

Post by s.dot »

for my authentication,

I plan on storing the session ID in the database and checking to see if it matches the php generated session id -- on every page load and form request.

does this pretty much secure the login? (other than username and password matching of course)
Set Search Time - A google chrome extension. When you search only results from the past year (or set time period) are displayed. Helps tremendously when using new technologies to avoid outdated results.
AGISB
Forum Contributor
Posts: 422
Joined: Fri Jul 09, 2004 1:23 am

Post by AGISB »

You should be aware that sessions write cookies as well unless you disallow cookies entirely which shouldn't be done. In that case you see the session ID in the URI
User avatar
Luke
The Ninja Space Mod
Posts: 6424
Joined: Fri Aug 05, 2005 1:53 pm
Location: Paradise, CA

Post by Luke »

Does php automatically append the SID to the URI?
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

One armed space goat wrote:Does php automatically append the SID to the URI?
read here, here, and here
Post Reply