Hi i have a membership system on my site and i noticed a problem that is on my site. The user can change the a cookie information which holds the users id, after that the user can be logged in as a different user by changing the id, i was wondering how i can avoid this problem, i don't need any code by the way just a idea to help stay away from this issue.
nick3592 0 Light Poster
Nyight 10 Junior Poster in Training
That's why I try to avoid cookies except to hold generic information that the scripts only reference or if they do require, cross-reference before using (e.g. it stores username/id/joined-date (unix timestamp, makes it incredibly hard to guess), check to see if all 3 pieces match up, if not, log them out). The $_SESSION variable is reasonably nice and efficient as well and is entirely based on the user's browser.
Though I'll warn you, if a hacker wants to get in or screw with your website, it's only a matter of time. You're job is just to make sure they get frustrated and give up before they find a way in ;)
[Links]
http://www.google.com/search?q=php+secure+login
http://insanesecurity.info/blog/8-tips-for-a-secure-login-scriptadmin-panel
http://www.google.com/search?q=php+secure+cookie
http://thinkvitamin.com/dev/how-to-create-totally-secure-cookies/
brandonrunyon 21 Junior Poster
Be a part of the DaniWeb community
We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.