Hi, well for my login I am going to be using cookies but, I was wondering how I could make it so that those cookies can't just be remade somewhere else then they can go to my site and login. Should I make it so that it takes the ip address of the logged in computer and match it with the one trying to access the site? Or is there a better way that is more secure.
Also do your recommend sessions? I heard they aren't the best to use and that cookies are better.
dEcade
0
Security Question
Started by dEcade, Feb 04 2007 05:02 PM
3 replies to this topic
#1
-
- P2L Staff
-
- 1,850 posts
P2L Staff
- Gender:Male
- Location:Saskatoon, Saskatchewan
- Interests:Guitar, Programming, Storm Chasing, Games (Designing and playing), Hockey, Photography
Posted 04 February 2007 - 05:02 PM
#2
-
- P2L Staff
-
- 1,850 posts
P2L Staff
- Gender:Male
- Location:Saskatoon, Saskatchewan
- Interests:Guitar, Programming, Storm Chasing, Games (Designing and playing), Hockey, Photography
Posted 04 February 2007 - 05:18 PM
. Adam ., on Feb 4 2007, 04:08 PM, said:
Depending on what you are doing, cookies is better. You can use sessions for things such as, invalid logins. But to keep a user logged in use cookies.
If your system is insecure, and uses cookies.. Its easy to hack.
Never EVER store the users password into a cookie.
Maybe create a new table in SQL, and have a session_id and have all details like: IP, pass, last login etc
Then in the cookie, store:
- user_id
- session_id
- Adam
If your system is insecure, and uses cookies.. Its easy to hack.
Never EVER store the users password into a cookie.
Maybe create a new table in SQL, and have a session_id and have all details like: IP, pass, last login etc
Then in the cookie, store:
- user_id
- session_id
- Adam
Ah, okay!
I think I will also play around with the ip address thing too.
#3
-
- Members
-
- 34 posts
Young Padawan
- Gender:Male
Posted 04 February 2007 - 06:07 PM
whats so insecure about cookie'ing a hashed password?
can it be reversed?.. just doublehash it
can it be reversed?.. just doublehash it
#4
-
- P2L Staff
-
- 1,850 posts
P2L Staff
- Gender:Male
- Location:Saskatoon, Saskatchewan
- Interests:Guitar, Programming, Storm Chasing, Games (Designing and playing), Hockey, Photography
Posted 04 February 2007 - 06:23 PM
Hackers could still probably get around it.
OK I was working on a script, not sure if it works because I haven't tested it so there are probably problems. But I'll let you guys have a look at it to see if I'm doing it right.
I added *Something* in just so I don't show my files or database names
dEcade
OK I was working on a script, not sure if it works because I haven't tested it so there are probably problems. But I'll let you guys have a look at it to see if I'm doing it right.
<?php
// Include Files
include('*File*');
// Get Variables
$user_id = $_COOKIE['dc_admin_user_id'];
$session_id = $_COOKIE['dc_admin_session_id'];
// Login check
if (!$user_id || !$session_id)
{
$sql = "SELECT *
FROM *Database*
WHERE user_id = '$user_id'";
$sql = $db->sql_query($sql);
$row = mysql_fetch_array($sql);
if ($session_id != $row['session_id'])
{
?>
Login here!
<?php
}
$session = explode(', ', $row['session_id']);
// id, ip, password, last login
$ipaddress = $session[1];
$password = $session[2];
$last_login = $session[3];
$currentip = $_SERVER['REMOTE_ADDR'];
if ($currentip != $ipaddress)
{
// Expires the cookies
$setusername = setcookie('dc_admin_user_id', '', time - 99999);
$setsession_id = setcookie('dc_admin_session_id', '', time - 99999);
?>
Login here!
<?php
}
// Lets create the admin page now!
}
else
{
?>
Login here!
<?php
}
?>
I added *Something* in just so I don't show my files or database names
dEcade
1 user(s) are reading this topic
0 members, 1 guests, 0 anonymous users
