Answer the question
In order to leave comments, you need to log in
PHP, security, authorization. Question?
I write authorization for the site in php. There was a question about security when implementing the "remember me" function. In short, the user is given a cookie with a token that is generated by the method:
$bytes = random_bytes(rand(150, 267));
$token = bin2hex($bytes);
Save it to the database and issue it to the user. During subsequent identification, the token is checked and the user is authorized. The
question is, is it possible to unauthorizedly authorize on the site using the brute force combination method? Can it be better to identify the user by two parameters: for example, his id in the database and the generated token?
Answer the question
In order to leave comments, you need to log in
You already decide there, you are safe or "remember".
If you are not a bank, then in 99% of cases a normal session is enough + some kind of brute force protection, at least fail2ban.
How is your additional token different from the session id?
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question