Categories

JavaScriptPHPHTMLCssPythonWordPressWeb developmentLinuxMySQLAndroidWindowsJavaC++ / C#LayoutReactUbuntuYiiDjangoProgramming1C-BitrixLaravelSystem administrationTelegramJSONDebianPostgreSQLIOSGoogleHtaccessWindows ServerGitMacOSGoogle ChromeCMSWooСommerceBootstrapNginxSQLUnityAPI
Make a leaderReport
@
@
@vareted2020-07-03 04:07:47
PHP
@vareted, 2020-07-03 04:07:47

PHP, security, authorization. Question?

I write authorization for the site in php. There was a question about security when implementing the "remember me" function. In short, the user is given a cookie with a token that is generated by the method:
$bytes = random_bytes(rand(150, 267));
$token = bin2hex($bytes);
Save it to the database and issue it to the user. During subsequent identification, the token is checked and the user is authorized. The
question is, is it possible to unauthorizedly authorize on the site using the brute force combination method? Can it be better to identify the user by two parameters: for example, his id in the database and the generated token?

Reply
Answer the question

Answer the question

In order to leave comments, you need to log in

1 answer(s)
Report
S
Stalker_RED, 2020-07-03
@Stalker_RED

You already decide there, you are safe or "remember".
If you are not a bank, then in 99% of cases a normal session is enough + some kind of brute force protection, at least fail2ban.
How is your additional token different from the session id?

Similar questions
M
Mikhail Potapenkov2016-06-13 18:20:30
On initial startup, the OS issues a blue screen 0x0000007B. What does it mean? 4Reply
P
plan_ept2018-11-19 12:31:46
What does PLAN(NATURAL) output mean? 5Reply
A
Albert Zurabyan2016-06-24 14:55:21
How to hide some object ids from a site from a SQL query? 3Reply
S
Sergey Kulandin2015-04-20 12:45:33
Is crossfire radeon 7850+7870 stable? 3Reply
A
Andrei1penguin12021-04-01 00:37:45
Why don't losses decrease? 3Reply

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question