All geek questions in one place

How to use session identifiers for authentication

I use only the session variables $_SESSION['user_id'] and $_SESSION['passwd'] to store the user ID and password once at login.

I just check these two variables with the database every time the user goes to a new php page for authentication. Actually, I did not know about session_id() .

I don’t think what I am doing for authentication - this is the right way. I feel there is something to be done with session_id for security.

and another doubt is whether these session variables can be easily cracked when I use session variables, as I mentioned

What should I do?

+4
source share
5 answers

An attacker cannot easily modify or read $ _SESSION variables if there is no other vulnerability, but usually the wrong practice is to keep the password longer than necessary on the server, for several reasons.

It is enough to check the password once when the user logs in. After that, you only need to save the authenticated user_id in the session. You need to know who the session belongs to, grant the necessary permissions to this particular user. But you already know that the user sent the correct password, otherwise you would not have saved his user_id in the session in the first place.

+3
source

For basic authentication, your approach to storing a user ID is great. However, you do not need to save a password during user authentication.

+1
source

You only need to authenticate once in the database and then save the result in the variable $ _SESSION var. Example:

 if ($user_and_pass_ok) { $_SESSION['user_logged_in'] = true; }
0
source

Sure.
$_SESSION['user_id'] only needs a variable.

 if (empty($_SESSION['user_id'])) { die("access denied"); }

to authenticate the user.

0
source

You do not need to check every time the user switches to a new php. After user authentication, store session_id in $_SESSION['session_id'] , for example. After that, all you have to do is check if $_SESSION['session_id'] . If so, then the user is "logged in."

Hope this helps.

-1
source

Source: https://habr.com/ru/post/1347683/

More articles:


All Articles