Re: [PHP] maintaining [user] state without a session ...

Thu, 13 Mar 2008 08:42:05 -0700 

At 3:16 PM +0000 3/13/08, Stut wrote:

tedd wrote:

Nice article.


Thanks.


I question the reason why you would want to encrypt the cookie 
considering that before the user is going to be provided access to 
sensitive data that you require a password confirmation. The 
encryption seems to be an unnecessary overkill.



So what if a malicious user uses a cookie to pretend to be a real 
user IF before they can get access to sensitive data they have to 
enter a correct password?


Please explain.



Certainly. It's not about them getting access to the data in that 
cookie, it's got more to do with ensuring the cookie contents remain 
unchanged.



While it's true that the "remember me" cookie could live with not 
being encrypted I would then need to validate the data it contains. 
By encrypting it I know that if it decrypts successfully it's 
exactly what the site put in it at the end of the last request.



For some sites this would not be an issue but due to some of the 
ways we use the data in that cookie I decided the cost of encrypting 
it against the cost of validating it and the risks involved made 
encryption the better option.



There is another reason... Cookies are sometimes stored in plain 
text on the users machine. Since that cookie contains an email 
address and potentially a phone number it's much better to encrypt 
it and protect our users.


Hope that answers your question.

-Stut


Okay.


Considering that all user data is placed in a database for extraction 
as needed, then why not put the state of the user's last visit in 
there as well and save only the session id (or whatever) as a cookie?



Then, when the user returns, you simply check the cookie with what's 
stored in the dB and continue as before. If the check fails (no 
session id or it has been altered), then start again.



To do house keeping, simply run a routine at some interval to check 
the sessions' age and remove those that are older than what's wanted.


Why put anything client-side that might be a security problem?

Cheers,

tedd


--
-------
http://sperling.com  http://ancientstones.com  http://earthstones.com

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
























					Reply via email to