0

Hi i have a membership system on my site and i noticed a problem that is on my site. The user can change the a cookie information which holds the users id, after that the user can be logged in as a different user by changing the id, i was wondering how i can avoid this problem, i don't need any code by the way just a idea to help stay away from this issue.

3
Contributors
2
Replies
3
Views
7 Years
Discussion Span
Last Post by brandonrunyon
0

That's why I try to avoid cookies except to hold generic information that the scripts only reference or if they do require, cross-reference before using (e.g. it stores username/id/joined-date (unix timestamp, makes it incredibly hard to guess), check to see if all 3 pieces match up, if not, log them out). The $_SESSION variable is reasonably nice and efficient as well and is entirely based on the user's browser.

Though I'll warn you, if a hacker wants to get in or screw with your website, it's only a matter of time. You're job is just to make sure they get frustrated and give up before they find a way in ;)

[Links]
http://www.google.com/search?q=php+secure+login
http://insanesecurity.info/blog/8-tips-for-a-secure-login-scriptadmin-panel
http://www.google.com/search?q=php+secure+cookie
http://thinkvitamin.com/dev/how-to-create-totally-secure-cookies/

Edited by Nyight: n/a

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.