Member Avatar for MDanz

I've looked everywhere and haven't found a clear step by step tutorial on how to secure sessions/cookies. Here are snippets of my code, i'd like to know how i can improve on session security to prevent fixation/hijacking and cookie safety. This is snippets of code for the user login system.

login.php

if ($username==$dbusername&&$hashed_password==$dbpassword)
                   {

                        setcookie('username[0]',$username,time()+(60*60*24*365));
                        setcookie('username[1]',$userid,time()+(60*60*24*365));

                        if($admin=='1') {
                            $_SESSION['admin'] = 1;
                        }   

                        $_SESSION['logged-in'] = 1;

                       header( 'Location: ' . $return );


                   }

logout.php

$time = time()-(60*60*24*365);

setcookie('username[0]', '',$time);
setcookie('username[1]', '',$time);
unset($_COOKIE['username']); 
unset($_SESSION['logged-in']);
unset($_SESSION['admin']);

I call session_regenerate_id() on everypage, is that correct to stop session fixation/hijacking?

session_start(); session_regenerate_id(true);

php.ini

session.use_trans_sid = 0
session.user_only_cookies = 1

Can you please tell me what i should do to improve on this? Examples would help greatly.

  • 2 Contributors
  • 1 Reply
  • 299 Views
  • 18 Hours Discussion Span
  • Latest Post Latest Post by pritaeas
Member Avatar for pritaeas

One obvious issue, is that you are storing the username and userid in the cookie. Are you sure that is necessary? Personally, I'd use a generated code, also stored in the user table, so you can use that to determine who it is.

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.