Reputation: 1501
Is using one session secure enough?
Currently a friend of mine and myself are working on a site together. We have our login system down, but are using sessions. I, myself, have always used cookies for logins, though my friend prefers sessions. I keep telling him we should have two or more sessions we can compare with the database to make sure it's the accurate user, and not someone who somehow scammed the ID.
For example:
$_SESSION['id'] = $YourId;
$_SESSION['salt'] = $SomethingElseTheDatabaseHas;
This making it more secure instead of just one session that the database can compare with.
Upvotes: 0
Views: 139
Answers (1)
Reputation: 8836
Using multiple session variable to store information does nothing for security since the session data is stored server-side. The only thing that the client knows about the session is the session ID that it stores in a cookie. The server uses the session id to lookup data for the user. If you're using a hash stored in a cookie to identify users, you might as well use sessions since that basically does the same thing, but makes working with a user's data much easier.
I'm not sure exactly what you mean by using cookies to store the data, but if you mean that the client would have a cookie with their user id that the server uses for authentication, you should rewrite that immediately since it basically allows the user to be whomever they want.
Upvotes: 8
Related Questions
- Should I rely on sessions?
- PHP is $_SESSION enough to secure the web page?
- Is this the right way to start more secure session in PHP?
- Working with Security and Sessions, is this secure enough?
- Is safe to rely site security on $_SESSION?
- Is a PHP session secure?
- session security in php
- Session Security?
- ServerSide Sessions safe?