Authentication and Sessions

[eluser]Peng Kong[/eluser]
if db is used, the hash is pointless, since session data is stored in the db and not on the cookie, the hash would just be taking up db space. tempering with the cookie just means losing access to the session (row in session table), the best someone could do is try to do fixation or spoofing.

Michael concern was regarding distributed auth libraries where there was a possibility of a non db, non-encrypt session configuration, by putting a hash in the cookie the risk is mitigated.

To be secure ALL custom data in the cookie, ALL custom data has to be in the hash together with a non-guessable, non-public viewable piece of data (i thinking the user's password is a perfect candidate of this).

Maybe something like this?

When storing...

Code:

if ( ! sess_db_in_use)
{
    cookie_data['id'] = db_id;
    cookie_data['name'] = db_name;
    cookie_data['hash'] = sha1(db_id.db_name.db_password);
}

Before using session data

Code:

if ( ! sess_db_in_use)
{
    if (cookie_hash == sha1(cookie_id.cookie_name.db_password)
    {
        // we can trust that the cookie data wasn't tampered
    }
}
else
{
    // we can always trust that db custom data isn't tampered
}

what do you guys think?