jayshields wrote:When a user logs in, it grabs their user id, and sets it in a session var, like so:
Code: Select all
$_SESSION['user_id'] = mysql_result($result, 0, 0);
Now, I can only presume this is being done by a cookie, because nothing is added to the URL, and if I disable cookies, the login system doesn't work after you navigate away from the page. Would it be a good idea to change it so it puts the session ID in the URL?
People use the term "Cookie" haphazardly, and there are two kinds of cookies - which is important to realize.
There are permanent cookies, which despite their name, don't last forever. They have a finite lifespan, and you have to define it (weeks or months is common). A not insignificant minority of users limit permanent cookies they will accept, and in some cases won't accept any at all.
Sessions, on the other hand, are stored via *session* cookies, or temporary cookies. Most browsers have implemented these cookies to be memory resident, so if your browser crashes or closes, your session cookie is gone. In IE, it does store it to disk, but in a seperate area from the other cookies. In Firefox, I think its memory resident, just like Opera.
So yes, it is being done by a temporary cookie. The vast majority of users - even those with cookie watching or privacy software - usually allow session cookies.
The alternative, as you mention, is passing the session id in the url. The risk with doing so is that it is easy to capture over the wire, and its also passed to other sites when you leave. So for example, if I went from example.com?SID=3987865 to evilhacker.com , the referrer variable will contain that session id. That can be a bad thing, so generally, you should avoid passing it in the url if you can.
(It should be noted that despite these issues, temporary cookies are practically just as easy to capture over the wire - just not by referrer).
jayshields wrote:I am also using a 'Remember Me' system.
How should I improve my security, especially for the 'Remember Me' section? Should I store some sort of unique, user specific code in the database and check against it each time the website is accessed? Would that have performance issues? How do you tackle this sort of thing?
Thanks for any input.
Secure login systems put multiple checks in place to validate that you are you, and that you are allowed to do what you want to do.
Remember me systems remove multiple checks to make things easier for a user.
See the conflict between the two?
There are ways to reduce the impact, but a remember me system, by design, will reduce the security of your login system.
Ways to reduce impact:
1. session_regenerate_id() - each login, change the id, so its valid for a shorter period of time
2. Validate - any changes the user makes should bypass the remember me, and prompt for login again. For example, when changing their email or password.
Hope that helps.