I want to make a login system using cookies/sessions but I'm not sure what security and such is like with them.
With sessions, if "login" is set to "yes", can I trust that? Are users able to change what it returns? Should I just store the encrypted password and check it on every page?
With cookies, would I have to check for things like mysql injections?
This might sound like beginner stuff, but it would really help if someone could clarify it for me. Thanks in advance for any replies!
Answer
If you set a session variable, the user can't directly change it unless they hijack another session cookie.
What you mainly have to watch out for is on shared hosting, your session data isn't secure (typically other sites can see it).
It's also worth noting that cookie data isn't secure either. It shouldn't be relied upon in the same way that form data shouldn't be relied upon (no matter what client validation tells you).
Your best practices with passwords are:
- Store the password in the database in a hashed form, preferably SHA1 (first choice) or MD5 (second choice);
- When you receive the user's password, encrypt it and check it against what's stored in the database;
- Set the logged in username in the user session;
- Expire the cookie after some period (even if its days) rather than having it last forever; and
- Use a secure connection (HTTPS not HTTP) where possible. SSL certificates are cheap.
No comments:
Post a Comment