will this work as an alternative to http cookie?

I'm using php for my site and was wondeirng if it would be a good idea to use开发者_如何转开发 the $_SERVER md5($_SERVER['remote_addr'] + $_SERVER['http_user_agent'])) into a cookie_auth field in the user table.

When the user logs in, php will use the above key to re-check the current user and compare it to the stored key and if matched get credintials for the user.

The problems are, the user agent can change and IP can change. I guess my main concern is the user user agent. IP addresses typically stay around for a month or two and my primary user base has static ip addresses (companies) so this shouldn't be issue.

Are there any other php $_SERVER variablies that I could concatinate that would be less volitile... but still dynamic?

I have the php manual infront of me but I don't see any usefull... Maybe I'm missing something.

Do other developers implement anything similar to this?

Thoughts?

Is there a better way to go about this?

It won't work, also because of proxies. If two people with the same user agent visit, then it's disaster.

Some projects can do "cookieless sessions" by passing the session id in a GET variable in all URLs that they use.

PHP can actually do this by itself. And you can even force PHP to not use cookies at all, just pass it in GET variables.

But there are some drawbacks. If you invoke URLs of your application in your javascript code, you have to insert the session id there. Also, if there are external links, the session id can be made available via the referer (sic) HTTP parameter to third parties, which could result in potential session stealing. You have to be extra careful with XSS holes. You probably have to be careful with session fixation happening during the login procedure of your application. And so on.

my primary user base has static ip addresses (companies)

So, if one persone in MegaCorp (with all the same browsers, and the same external IP address) logs in, everybody there is logged in? Don't do it.

And another reason: all iPhones in the same area (same proxy, same browser) are logged in. All I have to do to break in is just to be within several hundred meters (to some kilometers in some places) to someone with access, and it's automagically granted to me.

There are in general 2 ways to have a 'passwordless login' (which is where most of these questions originate):

• Cookies with a sufficient 'unguessable hash' from a previous login
• Convince the user to install a certificate you can validate over HTTPS.

Most of the $_SERVER variables are attacker controlled (remote_addr is pulled directly from the tcp socket and there for cannot be spoofed or otherwise tampered with). However an attacker can change the user-agent to anything.

Don't re-invent the wheal. session_start() and the $_SESSION super-global is secure, easy to implement and robust. To use this you should always call session_start() in a header file for all pages.

if(!$_SESSION[logged_in]){
    header("location: login.php");
    die();//Yes php keeps executing so you need this!
}

then in login.php:

if(login($_REQUEST[user],$_REQUEST[password])){
    $_SESSION[logged_in]=true;
}