Menu
I'm hashing passwords, matching user agents when reading session data, and everything needed to securly log in users. I'm interested in ways to securely retrieve/read session data. For example I'm using a function that gets the user id from a session data array...
In db table:
a:6:{s:9:"user_data";s:0:"";s:7:"user_id";s:1:"3";s:9:"firstname";s:4:"Tina";s:8:"lastname";s:3:"Fey";s:8:"username";s:8:"lizlemon";s:6:"status";s:1:"1";}
Function (Codeigniter):
function get_user_id()
{
if (is_numeric($this->ci->session->userdata('user_id')))
{
return $this->ci->session->userdata('user_id');
}
else
{
exit();
}
}
I'm only checking if the id is numeric. Should we worry about retrieving session data even though it was securely added to the db?
421
You should NEVER write your own session handler. Use sesion_start() and the $_SESSION[] super global. This also open the door to using the PHP security session features, such as cooke_secure, http_only cookies, and use_only_cookies.
session_start() generates a very secure session id that is a cryptographic nonce. You can configure PHP to pull this value from /dev/urandom which is a very secure entropy pool and probably the best way available for generating a session id.
150
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
