Categories

JavaScriptPHPHTMLCssPythonWordPressWeb developmentLinuxMySQLAndroidWindowsJavaC++ / C#LayoutReactUbuntuYiiDjangoProgramming1C-BitrixLaravelSystem administrationTelegramJSONDebianPostgreSQLIOSGoogleHtaccessWindows ServerGitMacOSGoogle ChromeCMSWooСommerceBootstrapNginxSQLUnityAPI
Make a leaderReport
D
D
Dmitry Tarasov2018-06-02 19:13:54
OAuth
Dmitry Tarasov, 2018-06-02 19:13:54

How to authorize the user on the site after closing the browser?

I have a custom php project. At the entrance, if a person decides to remember himself in the system, then a special random hash is generated, which will be written to the database and cookies, after which, when the browser is closed and reopened, the session is destroyed, it turns to the resource again, it checks whether there is a session, no, then we check cookies whether there is a hash for authorization, if there is, we check it with the database and authorize the user in the system, and make a new session. That is, if the cookie is stolen, then you can go to the user's personal account, then I thought I could make a hash from user-aget + password hash and write all this hash into the cookie, but then I immediately thought that user-aget can be faked. Actually, I don't know what to do. How to authorize a user for a long time 2 days, for example, to a personal account in a more secure way than a cookie with a password hash and user-aget, as it is now.

Reply
Answer the question

Answer the question

In order to leave comments, you need to log in

1 answer(s)
Report
V
Vladimir Dubrovin, 2018-06-02
@fast-je

Use TLS (https) and cookies with the HTTP Only and Secure flag. It is better to use a fairly long random session ID as a cookie.
Such a cookie cannot be stolen via XSS, it can only be stolen by gaining access to the user's browser. But if the attacker has gained access to the browser, you will not help the user in any way. The attacker will have access to everything the user has access to.
It is possible to optionally link the cookie to the autonomous system (AS) and the browser, but this does not provide any real additional protection. Binding to IP re is recommended because IP can change quite often for a user, especially a mobile one.
You should not write a password hash anywhere, this does not give anything in terms of protection, but it allows you to reset the password if the cookie is somehow stolen (for example, through a bug on a subdomain).

Similar questions
H
holyshitplayer2021-08-03 17:16:14
How to implement Twitter OAuth with Golang OAuth2? 1Reply
V
Vasyl Fomin2018-05-01 20:48:32
How is registration / authorization through the social. networks using oAuth2 if one of the social networks does not give email / phone? 1Reply
A
alexnotonfire2016-01-17 21:40:52
How to make authentication with Google via OAuth 2.0 in a popup? 1Reply
B
Bogdan Pasechnik2016-01-26 13:18:49
What is my mistake when authorizing google via oauth2? 1Reply
D
Daniil Myasnikov2021-09-18 21:26:25
How to properly implement authorization through social networks paired with laravel-passport? 1Reply

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question