php security for cookies and sessions

Question

Regarding PHP security with cookies and sessions, this is what i have done so far for prevention of attacks. What have i done incorrectly/unsafely?

login.php

 if ($username==$dbusername&&$hashed_password==$dbpassword){

setcookie('username[0]',$username,time()+(60*60*24*365));
setcookie('username[1]',$userid,time()+(60*60*24*365));
setcookie('password',$hashed_password,time()+(60*60*24*365));

if($admin=='1') {
setcookie('username[3]',$admin,time()+(60*60*24*365));  
}
$_SESSION['logged-in']=1;

logout.php

    $time = time()-(60*60*24*365);
setcookie('username[0]', '',$time);
setcookie('username[1]', '',$time);
setcookie('username[2]', '',$time);
setcookie('username[3]', '',$time);
setcookie('password', '',$time);
unset($_COOKIE['username']); 
unset($_SESSION['logged-in']);

I call session_regenerate_id() on everypage, is that correct to stop session fixation/hijacking?



Here is my PHP.ini what other ways do i provide security for sessions & cookies

    session.use_trans_sid = 0
session.user_only_cookies = 1


Any examples/impovements welcomed, as i learn better with examples.

martinstoeckli · Accepted Answer

Often regenerating the session-id is done, when changing access priviledges (e.g. after a login).

The password should not be stored in a cookie on the client side, not even the hash. It's not even necessary to store it in the session, you use it only to verify the login, and after writing the state to the session, you should forget about the password.

If you want a really safe site, you need a HTTPS connection with SSL encryption. Otherwise an attacker can eavesdrop the information sent plaintext, and use the session-id (or whatever you use to authenticate the user) to impersonate the user.

php security for cookies and sessions

Answers (2)

Related Questions