Is Session a safe place to store data ? |
(07-25-2016, 03:22 PM)Ivo Miranda Wrote: I don't understand why the users table must not be auto incremented. What's the problem in that? Ion Auth from Bed Edmunds is considered insecured? No, Ion Auth is excellent. I don't understand your question. Who said the user_id (I presume you mean) should not be auto incremented?
(07-25-2016, 03:25 PM)PaulD Wrote:(07-25-2016, 03:22 PM)Ivo Miranda Wrote: I don't understand why the users table must not be auto incremented. What's the problem in that? Ion Auth from Bed Edmunds is considered insecured? Cartalote said: Good - only store the user id in the session - which is a long randomized string - not an incrementing ID I assumed it meant the user_id should not be auto incremented.
Ah, no it meant that if you store in your cookie, user_id=3 say, if I log in, get a valid session, and change that cookie value to 4, or 5, or 10, or 2, what user will the system think I am. Valid session, valid user id, must be user 5 or 6 - yes? No. It is user 3 mucking about with the cookie.
However, if I check the cookie and find user id = HGKJHIE9353hkb3452kjb I can try altering it, but chances are I am not going to find a valid string. Also, that string can be checked against the stored string in the current session. Also, if I join and find I am user_id=237, I can have a pretty solid idea of the maximum number of users that site has, which might be information you do not want to share. Hope that helps, Paul.
(07-25-2016, 03:53 PM)PaulD Wrote: Ah, no it meant that if you store in your cookie, user_id=3 say, if I log in, get a valid session, and change that cookie value to 4, or 5, or 10, or 2, what user will the system think I am. Valid session, valid user id, must be user 5 or 6 - yes? No. It is user 3 mucking about with the cookie. Haaa ok... Yes that would be bad... Well I never worried much about Ion Auth since it had good reputation and was made by Ben Edmunds. I just checked my cookies in chrome and I have: ci_session, identity, remember_code Identity has my user e-mail though. I assume if I change this to another user I can't take over his account right? I really don't know how Ion Auth is working internally...
It sounds like you have checked a 'remember me' and a permanent cookie was set. I am also guessing that the code will have to match the email address in the cookie, so changing it would fail that check. Unless you can guess another email address and their associated code, and that user has actually also used a remember me.
I would be very surprised if Ion Auth had a hole in it that gaping. I tend to use my own library for auth now but when I do not I use Ion Auth every time. It is so simple and quick to implement and is very well written. Best wishes, Paul. |
Welcome Guest, Not a member yet? Register Sign In |