| Re: Best practice, (secure), to save session data? [message #178404 is a reply to message #178402] |
Thu, 14 June 2012 11:46   |
Jerry Stuckle
Messages: 2598
Registered: September 2010
Karma:
|
Senior Member |
|
|
On 6/14/2012 4:35 AM, Simon wrote:
> Hi,
>
> We have a site where many users can login/logout, (giving them access to
> their personal information).
>
> The users have 2 choices, either we 'remember' the user after they close
> their browsers or not, (for up to 30 days).
>
> We create a unique cookie id and we store/retreive the data based on
> that unique id.
>
> But that means a read + a write every single time any user hits the
> site. I realise that it is a very small operation with a tiny amount of
> overhead, but I wonder if it is the 'best' solution.
>
> It was suggested that I base64_encode/base64_decode the data as a cookie
> but I am not sure about the security implications of doing that, (the
> way I see it, if they can get the session cookie then they can just as
> well access the base64_encoded data anyway).
>
> We have an https site, but we also allow login/access via http.
>
> Any tutorial/reading material/suggestions on how I can store logged in
> users credentials.
>
> Thanks
>
> Simon
>
Anything stored on the user's machine is subject to compromise. Base64
encoding data provides absolutely no security. And you're right, if
someone has access to the cookie, they have access to the data.
It's just like handing someone the key to your car. They can take your
car any time they want. There is no way around this.
If you're concerned about the security implications, don't save the
cookie (and keep relatively short timeouts on your sessions).
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex(at)attglobal(dot)net
==================
|
|
|
|
Calendar
Search
Help
Members
Register
Login
Home
]