954,574 Members — Technology Publication meets Social Media
Username:
Password:
Lost login information?
Have something to say? Contribute New Article Reply to this Article
2 Years Ago
0

Just how safe is a session based on a mysql field id for user indetifcation?

Hello all,

Just wanted to see if I am leaving open some security hole in a script I have! When the user logs in it creates a session based on the id field of the users table! For example .... my id is 10 so a session is created with based on that.

What I wanted to know is if I want a secure way to identify a genuine user based on their session then should I make this session more complicated by adding further details? Or even create multiple sessions?

I am currently checking the user against my sql table id against their session but thought that if someone created a session from another website with for example the number 10 then I wouldnt want them being able to access my members account whose ID number is 10!

Hope this makes sense and someone can clarify the best way around it

Thanks

justted
Junior Poster
140 posts since Dec 2007
Reputation Points: 10
Solved Threads: 2
 
2 Years Ago
0

Session is fairly safe but hackable.

Here's a decent rundown that may help you: http://www.sitepoint.com/blogs/2004/03/03/notes-on-php-session-security/

kireol
Posting Whiz
313 posts since Mar 2008
Reputation Points: 34
Solved Threads: 51
 
2 Years Ago
0

Its pretty secure. Adding more info and creating extra session is unnecessary overhead.

The best way to prevent this is to run session_regenerate_id(true).

[kireol explains everything nicely, I posted at the same time. Didn't see that post]

kkeith29
Nearly a Posting Virtuoso
1,357 posts since Jun 2007
Reputation Points: 235
Solved Threads: 194
 

This article has been dead for over three months

Post: Markdown Syntax: Formatting Help
You
 
© 2012 DaniWeb® LLC
Home | About Us | Contact Us | Terms of Service | Advertising Opportunities
RSS Feed RSS Feed