Please help with login method
Posted: Fri Apr 24, 2009 12:56 pm
Hello Everyone!
I am new to this forum (first post actually)...so please forgive me if I post this in the wrong spot.
I am working on the user/login portion now, and am trying to figure out a way to prevent account hijacking/secure login.
I have a user database with structure user_id, username, password, secret_id ...name birth_date, etc
I want somehow to prevent session hijacking by having the session hold a random secret_id that changes every page reload and saves that value in the database and somehow have that tie in to some cookie value holding the user_id...
I have a login system now, but I am sure it is very vulnerable...It just sets a session variable holding the secret_id that changes every time a page loads, but if someone gets ahold of the secret_id, the server will think he is the valid user and keep sending him new secret values in his own session...
Please help,
Thanks,
Ben
I am new to this forum (first post actually)...so please forgive me if I post this in the wrong spot.
I am working on the user/login portion now, and am trying to figure out a way to prevent account hijacking/secure login.
I have a user database with structure user_id, username, password, secret_id ...name birth_date, etc
I want somehow to prevent session hijacking by having the session hold a random secret_id that changes every page reload and saves that value in the database and somehow have that tie in to some cookie value holding the user_id...
I have a login system now, but I am sure it is very vulnerable...It just sets a session variable holding the secret_id that changes every time a page loads, but if someone gets ahold of the secret_id, the server will think he is the valid user and keep sending him new secret values in his own session...
Please help,
Thanks,
Ben