E
E
Evgeny Ivanovich2018-01-30 17:32:55
PHP
Evgeny Ivanovich, 2018-01-30 17:32:55

How to make a website secure during authorization?

I am not a professional web developer, so I tried to implement authorization on the site the way it occurred to me - using cookies. At what, if more specifically, then this:
The user enters a login, password, and if they match in the database, then the login and id are recorded in cookies. So, by the value of cookie['login'] the site determines whether the user is authorized and who it is. But, if the user simply changes the value of the cookie (I don’t know if the user can change the value or just delete it), then the site will think that you are no longer Vanya, for example, but Petya. Of course, you can write a hashed password to the cookie so that each page checks the cookie for a match - login == db.login && password == db.password, but I'm not sure if this is correct. Or does the user still not have access to change the value of the cookie?

Answer the question

In order to leave comments, you need to log in

3 answer(s)
X
xmoonlight, 2018-01-30
@xmoonlight

There are browser cookies $_COOKIES, and there are session variables $_SESSION (whose ID is also stored in browser cookies).
In the browser, apart from the session ID, it is better not to store anything important, because it can be changed without problems.
All session data must be stored on the server side.
Use the setting of the session flag after successful authorization in the PHP script on the server side, for example, like this: $_SESSION['user']=$username;and everywhere check the presence and content of this variable:

if ($_SESSION['user']!="") { 
  //пользователь авторизован... 
}

F
fman2, 2018-01-30
@fman2

Can be stored in cookies, can be stored in sessions. In cookies, store ONLY a unique token, which, if stolen, will stop working. Anything can be stored in a session, but the standard mechanism sets the session lifetime to SESSION.
Most importantly, the session identifier is in the cookie (PHPSESSID), many people forget about it. And if you increase the session lifetime, then session == cookies.

V
Vasiliy_M, 2018-01-30
@Vasiliy_M

Of course, you can write a hashed password to the cookie so that each page checks the cookie for a match - login == db.login && password == db.password, but I'm not sure if this is correct.

it is right. not safe, but correct. not safe because you can go to the browser and steal cookies. but this is a different kind of problem. you can set the cookie lifetime = 0 and it will be session emulation, but without generating a cloud of session files.
those.
1. The user enters a login and password, they are correct.
2. Set cookies:
- ID - user ID
- HASH - md5(user_password_hash + salt ), where
user_password_hash - password hashed in the database
salt - salt
then on each page the request will be of the form further just compare $_COOKIE['HASH'] === md5($user['user_password_hash'] . $user['salt']) Pros of the approach
- the "session" is never destroyed (i.e. the user is always authorized) if you do not set the cookie lifetime = 0. For many sites where security is not critical, this is a very beautiful, easy and simple authorization option.

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question