Re: Storing user ID in a cookie security precautions

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Mon, Feb 25, 2008 at 12:28 PM, Steve Finkelstein <sf@xxxxxxxxxxxxx> wrote:
[snip!]
>  My question to the community is -- I'd like to try something similar
>  to this approach for an application I'm working on. Although I'm a bit
>  concerned as in the event of XSS or something of that nature, what if
>  a userid a compromised and manipulated? Is it unlikely with George's
>  encryption algorithms?

    While I don't know what George's encryption algorithm may be, keep
in mind the difference between sessions and cookies:

    $_SESSION:   Only places a cookie on the end-user's browser with a
32-character alphanumeric hexadecimal key that corresponds with the
session ID held on the server.  The user's information is not stored
in the cookie, and because of the hash of the PHPSESSID sent and
stored in the cookie, it's very unlikely that a wannabe will be able
to forge that.  Someone with real knowledge may be able to do so, but
in that event, if they want the data bad enough, you'll have much more
to worry about than sessions and cookies.  :-\

    $_COOKIE:     Stores the actual data, encrypted or otherwise, on
the user's computer.  This is where you run into the issues of XSS,
session hijacking, and spoofing more frequently.

>  I figured it would be redundant to store the user ID in a $_SESSION as
>  well as I need a variable to pop the user id into for my queries.

    I see no reason why this would be considered redundant.  I
frequently store the UID in a $_SESSION for a variety of reasons,
including just to check isset() to be sure the person still has a
valid session active (among other methods, of course, but that's a
quick way of checking).  And because $_SESSION data is only written to
the server, it's a bit more reliable than $_COOKIE data that is not
nearly as trustworthy.

>  Thank you for your $.02!

    No problem.  It's just too bad that overdrew my account.  ;-P

-- 
</Dan>

Daniel P. Brown
Senior Unix Geek
<? while(1) { $me = $mind--; sleep(86400); } ?>

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux