Re: [PHP] Using Cookies Securely
On Fri, May 30, 2003 at 11:01:26PM -0700, Evan Nemerson wrote: Send a session ID to the user in a cookie, then lookup that ID in a database on the server. It's extremely difficult to guess random session ID's (don't just increment them!), and if you have a session timeout, you're pretty much set. That's true, and it is what most people do, but if you think about it the session ID is then functionally equivalent to a crypt'd password for the duration of your session; that is, either one allows you access to the site. So if you were worried about folks sniffing an encrypted password and using it to log in, you should be equally worried about folks sniffing a session ID and using *it* to log in. Dustin -- Dustin Mitchell [EMAIL PROTECTED]/[EMAIL PROTECTED] http://people.cs.uchicago.edu/~dustin/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Using Cookies Securely
Again, It's not perfect, but I don't think anyone has come up with a better way. It's called session hijacking, and it is a great reason to use SSL. However, there's still the issue of cross-site scripting, which can really only be prevented by smarter coding. Even then there are issues. For example, holes in ie's SSL capabilities (including a current, unpatched vulnerability- well okay it was patched but M$ managed to re-introduce it in more recent patches...), permit undeteted MITM attacks. On Saturday 31 May 2003 05:56 am, Dustin Mitchell wrote: On Fri, May 30, 2003 at 11:01:26PM -0700, Evan Nemerson wrote: Send a session ID to the user in a cookie, then lookup that ID in a database on the server. It's extremely difficult to guess random session ID's (don't just increment them!), and if you have a session timeout, you're pretty much set. That's true, and it is what most people do, but if you think about it the session ID is then functionally equivalent to a crypt'd password for the duration of your session; that is, either one allows you access to the site. So if you were worried about folks sniffing an encrypted password and using it to log in, you should be equally worried about folks sniffing a session ID and using *it* to log in. Dustin -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Using Cookies Securely
I see some posts here that say storing a username or encrypted password in a cookie is not secure. If so, then what's a more secure way to allow users to be remembered using a cookie so that they don't have to log in every time they come to the site? What do you store in the cookie to authenticate against? Monty -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Using Cookies Securely
The short answer is that if you're worried about security, don't store a uid and pwd in a cookie on the client... banks don't do it, for example. It's also common for the uid to be remembered, but not the pwd. From what I can see happening on the big sites, you give the user the option to be remembered or not, and you advise them against it if they're on a shared/public computer, or even remotely care about security and privacy. Handling log-ins and cookie sending under SSL would also help. Justin on 31/05/03 4:29 PM, Monty ([EMAIL PROTECTED]) wrote: I see some posts here that say storing a username or encrypted password in a cookie is not secure. If so, then what's a more secure way to allow users to be remembered using a cookie so that they don't have to log in every time they come to the site? What do you store in the cookie to authenticate against? Monty -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Using Cookies Securely
Send a session ID to the user in a cookie, then lookup that ID in a database on the server. It's extremely difficult to guess random session ID's (don't just increment them!), and if you have a session timeout, you're pretty much set. It's not perfect, but I don't think anyone has come up with a better way The way it's been explained to me, this is how PHP's sessions work, but I have not personally verified this. So I think it's okay to put semi-sensitive data in the session array (you shouldn't ever store really sensitive data). Check first though. On Friday 30 May 2003 10:29 pm, Monty wrote: I see some posts here that say storing a username or encrypted password in a cookie is not secure. If so, then what's a more secure way to allow users to be remembered using a cookie so that they don't have to log in every time they come to the site? What do you store in the cookie to authenticate against? Monty -- Perl - the only language that looks the same before and after RSA encryption. -Keith Bostic -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php