Menu
In some of my posts, when I have stored user information in cookies, all the comments and answers have said something like, "... answer to problem ... but DON'T USE COOKIES TO STORE USER INFORMATION. IT'S INSECURE."
In one of my test websites, I store a cookie called "user" that holds the logged in user's username, as well as a session variable. I know this may be personal information, but on the webpage it says the username, so would it really matter?
It would matter if a hacker could get onto my website to change the value of the "user" cookie and session, and log into someone's account without their username.
Is this possible? If so, how?
Also, if I need to update my security, how would I have an option of "Stay Logged In" without a cookie?
Thanks for any help.
678
The $_SESSION is stored entirely on the server, so the user cannot modify it.
Cookies are stored on the client. The user can therefore change them if they want to. Session information is stored on the server. That means the user can not change it.
No. @George Korac: Yes. It is possible for a user to change a variable so if you're using normal PHP sessions - no you can't trust a user's input.
A user cannot modify PHP sessions on the server. They can only forge a legitimate cookie and masquerade as a logged-in user - but that will require them to steal a valid cookie in the first place.
so how to prevent intruders from modifying data? i want to introduce two mechanism for this:
because Http is a stateless protocol, server will save a cookie usually name session_id and client will send it with every request. with this mechanism server finds out which user is requesting.
server can store user data in so called Session Variable and can access them Only In Server and Client CAN NOT Modify them.
example:
on server`s session storage (disk, db or ram):
27: ["username" => "foo"]
35: ["username" => "bar"]
95: ["username" => "fuzz"]
on each client`s cookie:
client 1:
"session_id" : 27
client 2:
"session_id" : 35
client 3:
"session_id" : 95
this method has a Downward :
Every data have to store in server, and it can consume server`s space.
another approach is to store data in users cookie, but before storing them, Encrypt them with a key.
since they are Encrypted and Client hasn't access the key, intruders couldn`t make any valid change in data.
in this approach you have to only store the Encryption Key on the server.
it dosen't consumes server's space (disk or ram)
Downward : since every data are sending from client in every http request. it consumes Server's Bandwidth.
for Example: Laravel Framework's Cookie are Encrypted.
151
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
