Security when using a session?

7

7a-6662019-11-16 14:48:43

Programming languages

7a-666, 2019-11-16 14:48:43

In general, I’m making an online store in my portfolio and there is a personal account and when I log in or register, I start a session with the user’s values in the database, namely there is id, login, password (encrypted) as far as I know, if you create cookies for this, you can change say id and end up on someone else's account so is there something similar with sessions how safe is my session share your experience how to do it better

Reply

Answer the question

In order to leave comments, you need to log in

5 answer(s)

T

tundramani, 2018-11-04
@tundramani

almost everything in this world is written in C))
however:

Any application that can be written in JavaScript will eventually be written in JavaScript

S

Somewhere Intech, 2019-11-16
@john36allTa

search by keys php session injection
Here, for example

X

xmoonlight, 2019-11-16
@xmoonlight

1. Bind the session identifier via fingerprint ("fingerprint" of the client) to the client (browser), hash ( no encryption! ) via the server "salt" and save on the client in cookies.
2. Then, check this id when changing IP within this session by asking for the real fingerprint and its hash from the cookie, and check what is stored in the session on the server side: a mismatch is someone else's! ;)
Bottom line: If someone changes cookies, he will never know the real "fingerprint" of the client and will not be able to do anything with stolen cookies from someone else's account.

F

FanatPHP, 2019-11-16
@FanatPHP

The answers are all hell, of course.
No
quite safe. for this session and invented

A

Anton Neverov, 2019-11-16
@TTATPuOT

It is best to use the JWT methodology. - where all the data about the user is inside the cookie in BASE64.
Good video about these tokens.
There are other approaches and methodologies for tokens, but I obviously like them less, so I will insidiously keep silent about them. If interested, google "Authorization Methods".