I am making a registration / login system with php. I think that I have all the initial data for entering the system (hashing the password with salt, saving in db ...).
My question is that the user registers between the pages after their initial login. I understand that one method is to have a session table on your server that stores a random unique identifier for each user and to store this identifier in a cookie on the user's computer. Thus, for each page you load, all you do is search for your session ID in your database.
I don’t understand how safe it is? Someone could not just smell the identifier, and then fake themselves with this user. Someone might even just try to guess the identifiers.
I also read that it is better if the identifier changes on every page visit. How does this increase security? It seems that it would simply reduce the amount of time that any ID could use.
Also, how would this change with the Remember Me feature, which will be stored for a long time?
source
share