开发者

Cookie + db token + session authentication, can i do away with the sessions

问答 作者:

I have a little web app, which uses a lot of ajax. After someone logs in, what we need to keep persistent is their user_id and group_id

The way I first did authentication, I just stored these as clear txt in cookies ( $_COOKIE['user_id'], $_COOKIE['group_id'] ). Obviously that was bad since you could modify both values!

I'm not an experienced programmer and don't need massively amazing security for this app. But that was pretty bad.

So, I moved on to creating a token in the database, which stores the user_id, group_id and a hash token and t开发者_运维知识库hen putting that token only in the cookie. The user_id and group_id are created as sessions once the token is authenticated (cookie match database).

This is more secure but the whole thing of having to manage the user_id and group_id sessions (timeouts, reinitialising) vs just grabbing them from cookies has caused a lot of grief and made my app's actual functioning less reliable.

Now accepting my level of skill, and that the easy management + robust functioning of my app is more important than high level security... I'm wondering if I could do away with the sessions, and do a compromise by still storing the user_id and group id in a cookie but along with the hash - i.e.

COOKIE['token'] = user_id_val+group_id_val+hash_in_db

would look like: 23-144-jhwr8324398fjk2j49083223n23

So all I need is a little function to parse that string and do everything from that. Someone could change the values but obviously the hash won't match.

Is this ok?

You don't need cookies at all (well, except for the session cookie) for authentication. Here's an example of a simple cookie-less authentication:

session_start();

// $db is a pseudo object for database access

// Verify login
$auth = false;
if (isset($_SESSION['user_id']) && isset($_SESSION['user_hash'])) {
   $user = $db->getUserById($_SESSION['user_id']);
   if ($user) {
      $hash = sha1($user->id.$user->salt);
      if ($hash === $_SESSION['user_hash']) $auth = true;
   }
}

// Make login
if (isset($_POST['login'])) {
   $user = $db->getUserByCredentials($_POST['login'], $_POST['password']);
   if ($user) {
      $_SESSION['user_id'] = $user->id;
      $_SESSION['user_hash'] = sha1($user->id.$user->salt);
      // redirect...
   }
   // redirect to error page
}

Of course, this can be improved to add defence mechanisms against all sorts of attacks, store user information, etc. but this is the basic idea. It's way more secure than using cookies.

继续阅读:authenticationcookiesphp

更多精彩内容

0

上一篇:

下一篇:

精彩评论

暂无评论...
登录 注册
Qedev.com
验证码 换一张
取 消

最新问答

问答排行榜

法律声明:本站内容均为网友上传,网站举办方负责审核和监督,

如存在版权或非法内容,欢迎举报,我们将尽快予以删除。

Copyright © 2018-2020 开发者. All rights reserved.

Powered by 开发者

ICP备案号: 京ICP备10032868号-9