Login system (PHP) Cookies and Sessions

Question

I want to make a login system using cookies/sessions but I'm not sure what security and such is like with them.

With sessions, if "login" is set to "yes", can I trust that? Are users able to change what it returns? Should I just store the encrypted password and check it on every page?

With cookies, would I have to check for things like mysql injections?

This might sound like beginner stuff, but it would really help if someone could clarify it for me. Thanks in advance for any replies!

Answer 1

If you set a session variable, the user can't directly change it unless they hijack another session cookie.

What you mainly have to watch out for is on shared hosting, your session data isn't secure (typically other sites can see it).

It's also worth noting that cookie data isn't secure either. It shouldn't be relied upon in the same way that form data shouldn't be relied upon (no matter what client validation tells you).

Your best practices with passwords are:

1. Store the password in the database in a hashed form, preferably SHA1 (first choice) or MD5 (second choice);
2. When you receive the user's password, encrypt it and check it against what's stored in the database;
3. Set the logged in username in the user session;
4. Expire the cookie after some period (even if its days) rather than having it last forever; and
5. Use a secure connection (HTTPS not HTTP) where possible. SSL certificates are cheap.

Answer 2

As several people here have stated, do not trust user input - ever. By sanitizing your input, especially username & password fields you help to ward off SQL Injection attacks.

For all that is good & holy don't store usernames or passwords in cookies, they're sent back & forth to the server on every request and anyone watching the stream can snatch that data...then you're in big trouble.

Here's a couple articles you should read on sessions, security and hashing - just hashing your passwords to SHA1 or MD5 isn't enough, salt them so they're even more robust. There's no such thing as impenetrable security - even if you do EVERYTHING right someone can break it - it's inevitable. Your job is to make things as hard to break/exploit as possible.

The more work involved in breaking into your site, the more valuable your content has to be to be worth the effort. Your job is to discourage malicious users.

This article has some nice info on creating unique fingerprints for your visitors, helps to make session hijacking more difficult - PHP Security Guide: Sessions

This article deals with basic password hashing & salting techniques - Password Hashing

This is by no means an end all & be all - you can make a career doing security and the like, but they're a good starting point. Someone here can probably point to better / more advanced articles, but I've personally found these helpful in shoring up my code.

Answer 3

Rule of thumb: do not trust user input. Cookies are user input, session ids that are stored in cookies are user input, http headers are user input -- these things must be triple checked for every possible thing. Session data, on the other hand, is stored on your server, so it is more or less secure if not stored in /tmp.

One of the most popular setups for session authorization is this: session id is stored in cookie, and everything else including password is stored in session. After starting a session based on id from a cookie, you should get user id from session data and then check if password stored there is still valid.

Answer 4

A good practice to use is to have 3 variables stored. One for if they are logged in, one for their username and one for a randomly generated hash (that is generated when they login and stored in a database along with the other user info). This way, if they change their username that may be stored in their cookies, it won't match the one that was generated for that user when they logged in.

Example: Cookie data could be: logged_in = true; user = 'admin'; sessionid = [randomly generated id (I usually just md5 a randomly generated word that I create)]

Everytime they login, a new sessionid is generated and stored in the database in it's own field. Now if I were to change my cookie information and change the user variable to say 'user' (which would be another user they may be trying to hi-jack). The sessionid would no longer match up to the one for the second user and the login would be denied.

Here is a quick example I stole from a CI project I worked on a couple weeks ago:

    function logged(){
$logged_in = $this->session->userdata('logged_in');
if($logged_in){
  $userid = $this->session->userdata('userid');
  $sessionhash = $this->session->userdata('hash');

  $this->db->where('id', $userid);
  $this->db->where('hash', $sessionhash);
  $query = $this->db->get('members');

  if($query->num_rows == 1){
    return TRUE;
  }else{
    return FALSE;
  }
}
}