All geek questions in one place

Php sessions provide secure login

My question is about creating a secure journal in a routine. After matching the username and password with the saved values, I set the session variable named logged to true. Then, when the user views the web page, I simply check the registered variable for true or false to determine if the user should have access.

This is my first time creating something similar. It is safe? I feel that there is something else that I have to do to make sure that the users are valid.

+3
source share
4 answers

Anyone who receives your session cookie can log in as you. If you bind a session to an ip address, this is much more complicated. But this can lead to problems with people who change IP addresses. It is up to you to decide whether to worry.

+1
source

Of course, this is safe, but there are precautions that must be taken to prevent unsafe circumstances / attacks.

There is nothing wrong with the mechanism you described. But the implementation is incomplete / nonspecific. You must consider the storage of passwords and the procedures that you will use to log in.

In response to the complaint, here some problems OWASP causes authentication / sessions.

1. Are credentials always secure during storage using hashing or encryption?

, .

2. (, , , , )?

, / .

3. URL- (, URL-)?

, .

4. ?

, , .

5. - ?

, " ", .

6. ?

, session_destroy() session_start() .

7. , TLS-?

.

, , . - , . , colorakitten.com, : " , - ".

: PHP

+1

- , , , . , , , . -, , "user_tokens" - . , IP- , . , cookie . , - , IP- cookie .

Cross-Site-Scripting (XSS) . , , .

+1
source

You might also want to save the username in the session to properly configure any pages for the user. What you described is “safe,” but the security of your application is hard to evaluate without knowing what else you are doing.

0
source

Source: https://habr.com/ru/post/1742403/

More articles:


All Articles