Reputation: 2633
Proper security when creating a PHP session that never expires
Since keeping a session active for a long period doesn't seem very reliable (when using session_set_cookie_params), it seems like the next best option is to store a cookie along with the session.
When the user logs in, I create a random hash and store it in a database table beside their user id. I then create a cookie and store the hash within it.
If the cookie exists, I extract the hash, do a database search for the user id and automatically log the user in.
If on an open WIFI network, XSS attacked or have a virus/malware, what stops this cookie from being copied and used by some hacker?
What is the best way to keep a session active forever, or until the user logs out?
Upvotes: 0
Views: 108
Answers (2)
Reputation: 239
to safeguard cookie from xss set HttpOnly flag in cookie. to prevent sniffing use secure ssl connection and set the cookie secure flag too.
Upvotes: 1
Reputation: 31654
Something we do is we use a custom session handler, and then use a memcached/mysql storage to backend it. Since the session cookies can be set to a longer timeout, we load the data from memcached. if it's not in memcached we load it from the database. If it's in neither, it's a new session. This way you don't have the generate new session IDs (PHP still handles that) but you do have to manage the data inside the sessions.
Upvotes: 1
Related Questions
- PHP sessions security
- Securing session and cookies
- Security when storing $_SESSION
- Safe Login using Sessions & Cookies
- php security for cookies and sessions
- creating secure php session cookies
- Persistent sessions in PHP
- best way to secure sessions (consulting)
- Secure cookies in PHP sessions
- secure sessions/cookies in php