Security and home-made Logon method

irishtarot

Hi guys

I have a problem/question that perhaps you might be able to help me with.

I designed a site in php ( Irishtarot.com )

After reading and reading session scripts with PHP I decided I still had no idea what sessions were all about and I thought I could do it much better by making a system that sets a cookie.

When a user logs in they get a cookie with their db userID.

If this cookie exists the website displays content based on their userID, in this case, it allows them to store free tarot readings in their account and displays them depending on their userID etc...

This is all grand however there is one slight worry. If a nasty user comes along and discovers how I am doing this they could just update their cookie with another userID and the site will allow them to see information from anybody.

This is not too important as I don't store money or anything like that, however it is not nice. If I use a secure connection it will not help either.

So what would you guys suggest?

PHP Sessions or a my cookie idea. The point being that PHP sessions seem to do the same thing as my cookie idea but make it 10 times more complicated.

Many thanks
Dave

okuto1973

Complicated the session?Well i think not!

You can also continue using cookies and put not only the username variable but also the password!Anche check if that user with that password is authorized to see a particular web page!

You can also make the same with session!

session_start();
$select="select * from users where username='$username' and password='$password'";

Then put the username and password in session if authenticated...(if that user with that password exist!)

session_register(sess_password);
session_register(sess_username);

and show the web page for that user!

irishtarot

Hi ya

Hehe Sessions are evil :-) they make no sense to me at all.

For example, what exactly do they do only put a strange random number after the URL in the var SID. How is that useful to me, as in it's not linked to any database for example.

So in my example, how would starting a session do anything for me? :-) my own session works, and with your password example, would completely work, so how would you implement a session to replace that.

Anyway, I like your quick solution to add the password into the cookie. What security implications would this have however?

If I encrypt the connection then I believe the cookie would be sent securely and from then on as long as the connection is secure it would not be possible to spoof the cookie ID because the password would not be the same.

okuto1973

Hope password in cookies helps you!

Tj_C

Hey Irish-

Now I will probably get beat up by all the smart people here but.... 😃

Sessions are very cookie like. Essentially it is a way of letting you store info so you can share it among pages.

I think your finding it difficult cause PHP makes it so easy.

How it would work in your example...

start a session on the login page, and then set varibables contianing whatever info you need on other pages.

On the other pages you can read the session information, and use it to your liking. Pass and User validation, custom look, different content, whatever you want.

Just remeber that you have to "start" the session on every page to get access to what your vars.

Also don't forget to destory the session when your user logs off/times out.

As for the security implications of storing a password in the cookie...I guess this depends on how you encrypt the password and if it can be decrypted or not.