Security Ideas [sessions/cookies]
Posted: Thu Jun 01, 2006 9:44 am
Hi guys.
I've never really implemented any sort of decent security on an application, and now I've come to do it, I can't think of a good idea to use.
At the moment I have temporary security measures in place while I develop my application.
When a user logs in, it grabs their user id, and sets it in a session var, like so:
Now, I can only presume this is being done by a cookie, because nothing is added to the URL, and if I disable cookies, the login system doesn't work after you navigate away from the page. Would it be a good idea to change it so it puts the session ID in the URL?
I am also using a 'Remember Me' system. Now, if someone logs in correctly and has checked the 'Remember Me' box, it sets a cookie like so:
and then when someone enters the website with a remember cookie set:
I assume this is very insecure, as all you would have to do is create your own cookie with the site admin's user ID, and next time you access the website you'll be logged in as him/her.
How should I improve my security, especially for the 'Remember Me' section? Should I store some sort of unique, user specific code in the database and check against it each time the website is accessed? Would that have performance issues? How do you tackle this sort of thing?
Thanks for any input.
I've never really implemented any sort of decent security on an application, and now I've come to do it, I can't think of a good idea to use.
At the moment I have temporary security measures in place while I develop my application.
When a user logs in, it grabs their user id, and sets it in a session var, like so:
Code: Select all
$_SESSION['user_id'] = mysql_result($result, 0, 0);I am also using a 'Remember Me' system. Now, if someone logs in correctly and has checked the 'Remember Me' box, it sets a cookie like so:
Code: Select all
setcookie('remember', $_SESSION['user_id'], time()+60*60*24*30);Code: Select all
$_SESSION['user_id'] = $_COOKIE['remember'];How should I improve my security, especially for the 'Remember Me' section? Should I store some sort of unique, user specific code in the database and check against it each time the website is accessed? Would that have performance issues? How do you tackle this sort of thing?
Thanks for any input.