Page 1 of 1

switch from cookies to sessions

Posted: Tue Nov 08, 2005 12:35 pm
by s.dot
Ok, recently ive had a lot of security issues, and it seems all could be fixed (or at least upgraded in security) by switching to sessions. The only thing I use cookies for at the moment, is storing the username, and checking to see if it is set to allow users to do specific actions.

I've never dealt with sessions much.

if I change all instances of $_COOKIE['username'] to $_SESSION['username'] and all instances of isset($_cookie['username']) to isset($_SESSION['username']) and throw a session_start() at the top of every page, would this effectively switch me over to using sessions? or is there other areas that I need to look at as well?

Posted: Tue Nov 08, 2005 12:52 pm
by Ambush Commander
I can see how...

While I'd advocate scrapping your authentication code entirely, I think it would work. Just make sure you're able to roll back in case something breaks.

Posted: Tue Nov 08, 2005 1:31 pm
by s.dot
for my authentication,

I plan on storing the session ID in the database and checking to see if it matches the php generated session id -- on every page load and form request.

does this pretty much secure the login? (other than username and password matching of course)

Posted: Tue Nov 08, 2005 2:37 pm
by AGISB
You should be aware that sessions write cookies as well unless you disallow cookies entirely which shouldn't be done. In that case you see the session ID in the URI

Posted: Tue Nov 08, 2005 4:12 pm
by Luke
Does php automatically append the SID to the URI?

Posted: Tue Nov 08, 2005 4:18 pm
by feyd
One armed space goat wrote:Does php automatically append the SID to the URI?
read here, here, and here