Would this be Secure?

Posted by aldo, 01-09-2008, 03:19 AM
I currently only use cookies for my user systems, I see people saying there not very secure, and sessions should be used. So my question is, should I use COOKIES and SESSIONS for my user system? For instance since sessions only last till you close your browser or leave the site, I would store a random string and a username in cookies. Now the session ID and username is stored in an SQL DB. Now when they login the random ID is made and stored in there browsers and the DB along with there username and the session is then started, when they leave the session ends but the cookie is still there, now when they come back, I get the random ID, and the user if its in the DB (The ID and user match) there session is restarted. So is that secure or not? If not, what should I do to make it secure?
Posted by Czaries, 01-09-2008, 11:19 AM
Yes, you should be using sessions to store user information rather than cookies. The reason is because the user has no access to the session file on your server stored below the web root, but since the cookie is stored on their computer, they can edit or inspect it anytime they want. I think the method you are using to restore the session is secure enough, although someone could potentially restart someone else's session by entering a random string that happens to be the saved session for another user.
Posted by awatson, 01-09-2008, 12:33 PM
That's the basic way it's done. The key (like Czaries said) is to be sure you're using a sufficiently random key that can't be guessed.
Posted by jmichalicek, 01-09-2008, 02:20 PM
You might also remove the username from the cookie. Normally the username would be tied to the session in your table that tracks sessions. It's not necessarily a really big deal, usernames are quite commonly public knowledge anyway (a person's e-mail address or their displayed name on the system), but I see no need to expose something that doesn't need to be when it's no more work at all to not expose it.
Posted by aldo, 01-09-2008, 07:18 PM
Okay, thanks guys. I think I will go through with this

Was this answer helpful?

 Print this Article

Also Read

Error handling in ASP.NET

Posted by Beach Musician, 09-08-2008, 11:49 AMI'm trying to help a colleague who wants to do...

Reseller Account

Posted by yachtinterac, 09-02-2002, 10:00 AMHi, Does anybody know of a company that does web...

PTZ control queue to a website in script / code

Posted by magi5, 05-05-2007, 08:41 PMHello. Does anybody know about a "Pan/Tilt/Zoom control...

named optimisation

Posted by dendis, 03-28-2008, 09:17 AMHi All, Now we host about 100,000 domains and they are...

Image storage

Posted by Skeptical, 01-27-2011, 03:07 AMSuppose a website is running on 3 web servers, and there...