D
D
Dmitry Tarasov2018-06-02 19:13:54
OAuth
Dmitry Tarasov, 2018-06-02 19:13:54

How to authorize the user on the site after closing the browser?

I have a custom php project. At the entrance, if a person decides to remember himself in the system, then a special random hash is generated, which will be written to the database and cookies, after which, when the browser is closed and reopened, the session is destroyed, it turns to the resource again, it checks whether there is a session, no, then we check cookies whether there is a hash for authorization, if there is, we check it with the database and authorize the user in the system, and make a new session. That is, if the cookie is stolen, then you can go to the user's personal account, then I thought I could make a hash from user-aget + password hash and write all this hash into the cookie, but then I immediately thought that user-aget can be faked. Actually, I don't know what to do. How to authorize a user for a long time 2 days, for example, to a personal account in a more secure way than a cookie with a password hash and user-aget, as it is now.

Answer the question

In order to leave comments, you need to log in

1 answer(s)
V
Vladimir Dubrovin, 2018-06-02
@fast-je

Use TLS (https) and cookies with the HTTP Only and Secure flag. It is better to use a fairly long random session ID as a cookie.
Such a cookie cannot be stolen via XSS, it can only be stolen by gaining access to the user's browser. But if the attacker has gained access to the browser, you will not help the user in any way. The attacker will have access to everything the user has access to.
It is possible to optionally link the cookie to the autonomous system (AS) and the browser, but this does not provide any real additional protection. Binding to IP re is recommended because IP can change quite often for a user, especially a mobile one.
You should not write a password hash anywhere, this does not give anything in terms of protection, but it allows you to reset the password if the cookie is somehow stolen (for example, through a bug on a subdomain).

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question