I came across the same problem a few week ago, and thought (didn't do it though) that the best way to handle this kind of security, would be to make an ID/cookie for the user/session which deletes itself after the browser is closed, but not storing the password.
Then, if that same user wants to open a new session in other computer at the same time, I would have a *REPLICATION* script which looks up that user and tells him that he already has an open session and that should type the password again (like Hotmail does). Makes sense? C. > -----Original Message----- > From: 1LT John W. Holmes [mailto:[EMAIL PROTECTED]] > Sent: Tuesday, July 16, 2002 4:51 PM > To: Chad Day; [EMAIL PROTECTED] > Subject: Re: [PHP] Sessions / logins / cookies / security > > There really isn't a good way to do this, I think. > > Any time you're taking just a cookie, and using that data to assume who > the > user is, it's open to hijacking. I can sniff the cookie or maybe find a > cross-site scripting bug to steal it, create the same cookie on my > machine, > and poof, i'm that user. > > Now, if it's just for a forum, or something simple, then just do it. It's > not worth worrying about someone hijacking my forum user. > > Anyway, the best way to create the unique id is to use uniqid() in combo > with md5(). That'll give you a 32 character string that's hard to predict > and isn't based on any of the user data. > > www.php.net/uniqid > > ---John Holmes... > > ----- Original Message ----- > From: "Chad Day" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Sent: Tuesday, July 16, 2002 3:30 PM > Subject: RE: [PHP] Sessions / logins / cookies / security > > > > Anyone? Can someone at least point me to some web article for > > recommendations? I saw some examples where a password variable was > stored, > > but is that really safe (as long as I MD5 it first?) > > > > Chad > > > > -----Original Message----- > > From: Chad Day [mailto:[EMAIL PROTECTED]] > > Sent: Tuesday, July 16, 2002 12:30 PM > > To: [EMAIL PROTECTED] > > Subject: [PHP] Sessions / logins / cookies / security > > > > > > I asked something similar a little while ago, but didn't do a good job > > clarifying. > > > > What I'm looking to do is when a user logs in, I start up the session.. > I > > then have the registered session var to verify they are authenticated as > > they move throughout the site. > > > > Now, when they close the browser and come back, I want them to still be > > authenticated. Obviously, I have to set a cookie. But what do I set? > Do > I > > set just their user ID? The MD5 of their password? What's the most > secure > > way, that's not easily spoofed? I don't know that much about cookies, > but > > if I just use a user ID, couldn't someone just change that ID value and > > 'become' another user? > > > > Thanks for any advice, > > Chad > > > > > > -- > > PHP General Mailing List (http://www.php.net/) > > To unsubscribe, visit: http://www.php.net/unsub.php > > > > > > > > -- > > PHP General Mailing List (http://www.php.net/) > > To unsubscribe, visit: http://www.php.net/unsub.php > > > > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
