Reputation: 2760
Security when using php cookies
I use cookies to check the user..but if someone kidnaps the cookie data, then he could pretend to be the user,.. same true with session too..
How can I make sure that when the user navigates and enters his pages, it is the actual user and not the one who hijacked the cookie/session?
(I cant make the user fill his user name and password every page, so that is not an option)
Upvotes: 0
Views: 62
Answers (3)
Reputation:
Set the "secure" flag on your cookies (see session_set_cookie_params or the ini settings), redirect all HTTP requests to HTTPS, and only generate links to HTTPS (to prevent unnecessary redirects).
The "secure" flag tells the browser to never send the cookie over HTTP, e.g. if your user were to type in the HTTP url to your site. The SSL will take care of end-to-end encryption, protecting the cookie from eavesdropping. You could additionally do an IP check, but this would be inconvenient for some legitimate edge cases.
Upvotes: 3
Reputation: 5668
Use a reasonable timeout (X minutes) and check for simultaneous activity from multiple IP addresses / browsers / OSes / etc. It isn't perfect, but may block most attackers.
Upvotes: 1
Reputation: 943124
You can't. If someone has someone else's credentials then the battle is lost.
Run all your data over HTTPS so it is encrypted (so safe from being stolen in transit) and trust your users to secure their own end points (since you have no other choice).
Upvotes: 1