• 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Best practice to handle user data with cookies

#1
I have some session issues, so i had to change my user login sessions to cookies. You can find below how it works. My question is: is it safe to have handle user login this way?

1) When user enters valid username and password i generate a random and unique string and store it in db and value in cookie. I also store users IP in db
2) On each page i look for the cookie if it exists, i yes, i do a db search for the string stored in cookie where visitors ip matches the stored last login ip.
3) on logout i delete the cookie, and string stored in db

Thank you, please let me know if there are any security (or other) issues with this process
Reply

#2
are you encrypting the cookies?
Reply

#3
Most of what you propose is good, but remember that most session libraries are going to regenerate the session ID every few minutes, or at whatever interval you specify. Session ID regeneration is critical. Also, the IP matching has potential problems that you can read about, but just know that it's not perfect. Lastly, you mention nothing of expiration for your login. Be sure to have an expiration.

Sessions and cookies in PHP differ in one major way. With sessions the session data is stored on the server, and a session ID basically gives you access to it. With cookies the data is passed to the browser, and the browser passes the data back with every request after that. This difference can effect the availability of the data in your code, so just know the difference. Also, since the data stored in the session is on the server, and the data stored in a cookie is sent to the browser, be aware of the consequences of that data being where it is. Either way, I always encrypt my session/cookie contents.

If you're having problems with sessions, I'd say it would be better for you to learn how to correct the problems, not just switch to cookies. You're probably going to find that whatever problems you're having with sessions will be there with cookies too, once you make your login robust enough to be safe and full featured.

Community Auth uses CI's session library just for the convenience of it being there, but it also sets some cookies as well. Cookie contents are encrypted by default.
Reply


Digg   Delicious   Reddit   Facebook   Twitter   StumbleUpon  


  Theme © 2014 iAndrew  
Powered By MyBB, © 2002-2020 MyBB Group.