Authorization, sessions (php, mysql)?

Konstantin Andreevich2012-02-06 20:09:54

PHP

Konstantin Andreevich, 2012-02-06 20:09:54

Dear Habr, help! $)
In general, I decided to write authorization. Wrote in general, but here's a question I got.
I do this: I have 2 tables in the database, one users, the second session. For users and for sessions respectively. Session_id, user_id, and other crap are stored in the session table. As soon as the user logs in, a session is written to him, and in the same way it is written to the database. Actually, from this session, we recognize the user, and thanks to the sessions table, we do not store the password in cookies.
But I feel like I'm missing something. After all, the session can be replaced. How to be? What to do? Advise.

Answer the question

In order to leave comments, you need to log in

12 answer(s)

Alter_Ego, 2012-02-06
@Alter_Ego

Everything can be changed if you do not use the EDS. If you are afraid of selecting someone else's session ID, then you need to make this very ID long, for example, 64 bytes. If the main concern is that the user will be robbed of cookies from his session ID, then check the user-agent, screen resolution, flash version.

Alexander, 2012-02-06
@Beketov

Here's something I found, maybe useful:
habrahabr.ru/blogs/php/13726/
php.ru/forum/viewtopic.php?t=15658

shagguboy, 2012-02-06
@shagguboy

> and thanks to the sessions table we do not store the password in cookies.
sobbed

Assorium, 2012-02-06
@Assorium

Anything can be changed. I advise you not to be extremely paranoid in this regard.
Comrades above give extremely useful advice. Browser + IP. In another browser, you still need to log in again, and to make it easier to recognize it, use a hash. md5([browser].[IP])

edogs, 2012-02-07
@edogs

Why not see how it's done in vbulletin, invision or just some good CMS? The task of authorization is really such an accordion bike ... at the same time, peep all sorts of interesting things like an individual password salt, a login with or without remembering, server authorization as an option and http only cookies, and so on and so forth.

AlexanderPHP, 2012-02-06
@AlexanderPHP

Binding by IP, as well as checking what is in the database and what is in the cookies themselves

no1, 2012-02-06
@no1

To make a session with a binding according to the data taken from the user, the most popular is the ip address, browser, cookies.

werdender, 2012-02-06
@werdender

You can bind its IP.
In general, examples of this in the hum of a wagon and a small cart :)

Konstantin Andreevich, 2012-02-06
@reffy

I don't want to bind by ip somehow. And suddenly dynamic ip.
The only thing is to check the user agent of the browser. Nothing else pops into my head.)

Konstantin, 2012-02-07
@Norraxx

Am I missing this, or are you reinventing the wheel?

egorinsk, 2012-02-07
@egorinsk

It is best for you to figure out how, for example, sessions are made in the same PHP by default. Regarding the question (session_id is stored in cookies, it can be changed) - and you do it from the session_id of 32-64 letters, signs and numbers. It is possible to replace such an id, but first you need to pick it up, and these are years of supercomputer work.

Arris, 2012-02-20
@Arris

IMHO, you should first decide:
1) will 90% of users replace the session ?
2) will the same 90% fake useragent?
If not, it's not worth complicating the task ;-) IMHO.