PHP session var enough for user auth?

前端 未结 5 959
心在旅途
心在旅途 2021-02-06 15:21

Scenario:

  • After a user has logged in, a session variable is set confirming their login.
  • At the top of every page, login session variable is confirmed vali
5条回答
  •  鱼传尺愫
    2021-02-06 16:08

    Is this a strong enough security measure by itself,

    Set two session variables to validate eachother and/or
    Implement database/hash validation

    No, and the reason is this: Anything that your valid user can send to your server for authentication (Session ID, cookies, some hashed string, anything!) can be sniffed by others if it's not encrypted. Even if the server processes the data with md5 hashing, salt, double-session-variable checks, id or whatever, and stores that information, it is easily reproduced by the server when it receives the spoofed data again from some other source.

    As many people have suggested, SSL is the only way to prevent this type of evesdropping.

    It has occurred to me that, were the server to generate a new session id for each request, and allow the browser to reply with it only once, there could theoretically be only one hijacker request or post before the server and the authorized browser knew about it. Still unacceptable, though, 'cause one is enough to do serious damage.

    Hey what about this:

    Create a single-use GUID and random salt and encrypt it with a shared password using PHP - this is sent as the session id or a cookie.

    The client receives the cookie, decrypts it with the shared password using javascript (there are many enc/dec utilities available)

    Set the current cookie or session id to the GUID.

    That would ensure that nobody could hijack the session unless they knew the password, which is never sent over the network.

    SSL seems much easier, and is more secure still.

    EDIT: Ok, it's been done - nevermind ;-)

提交回复
热议问题