All geek questions in one place

How to set up a secure PHP session

In the same vein to my previous question - I'm not a very experienced PHP programmer. I don't know anything about sessions or security (the other that I learned an hour ago about md5 and sha1 with salt).

I have a login system and I want to create a session that stores and encrypts a string of the username of the user mixed with the timestamp. I know how to create a string, but I don’t know anything about sessions or how they work.

I spent the last hour developing Googling, but they all seem too simple or outdated, I am looking for something that has specific security, but also just (due to my inexperience).

How can I (on the administration pages) check if the user is logged in if this line is encrypted?

I know that there are similar questions, but I need an answer from a complete unprofessional point of view, since I do not know how to implement this solution.

Thanks for any help you can offer.

+3
source share
3 answers

I want to create a session that stores and encrypts a string of my username

Why? If you do not decrypt it, then there is no advantage over using a hashed or even random value. And if you decrypt it, then the key must also be stored in your data - so its just security is hidden.

How can I (on the administration pages) check if the user is logged in if this line is encrypted?

, . , , , .

+2

, . , , . .

, (, User, ).

$_SESSION ( - ) , . -.

+1

There are ways to secure a PHP session, but first you need to understand what level of security is needed and what he / she will achieve, finally.

Here's a blog post from Corey Ballou http://www.jqueryin.com/2009/11/20/php-secure-sessions/ , which I believe is good enough to clear up your doubts about securing PHP sessions.

+1
source

Source: https://habr.com/ru/post/1760731/

More articles:


All Articles