Hi Guys, I was wondering how can I make my cookies secure so that they can not be played around with?! For example I need to encrypt the user_id of the user when sending it.
Basically what is the right approach to using cookies but not becoming vulnerable to hacks.
@svidgenOct 14.2010 — #Any data the user sends you is susceptible to tampering. You can reduce the risk by making critical data difficult to spoof. So, to your question: Don't store sensitive data in cookies. Use PHP's built-in session handling. It's highly unlikely that a malicious user will be able to guess the session ID of another user. And you can then store all sensitive data in the session. (server-side)
But the problem is that Sessions end after user closes the browser. Some users would not like to re-login every time they come to the site.
How should I best approach this? I am guessing I save 1 cookie on their computer and then retrieve their information and place it as sessions. but what is that 1 thing that should be saved to keep things secure?
But the problem is that Sessions end after user closes the browser. Some users would not like to re-login every time they come to the site.
How should I best approach this? I am guessing I save 1 cookie on their computer and then retrieve their information and place it as sessions. but what is that 1 thing that should be saved to keep things secure?[/QUOTE]
Sessions only end when the browser is closed [b]if[/b] that is the setting you are using for session.cookie_lifetime. You also need to set the [url=http://www.php.net/manual/en/session.configuration.php#ini.session.gc-maxlifetime]session.gc_maxlifetime[/url] to how long you want the session data to be stored on the server. (If on a shared host or if other applications with different session settings are running on your host, make sure to have your application use its own session.save_path so that the data does not get "garbage collected" by other applications using the same directory.)
You can also control these settings at the script level via [url=http://www.php.net/manual/en/function.session-set-cookie-params.php]session_set_cookie_params[/url]() and [url=http://php.net/ini_set]ini_set[/url](), but then you must be sure to do it in each script before the call to session_start() (perhaps in an include file?).
@NogDogOct 18.2010 — #wow, this is getting quite complicated for me, can you refer me to a site which i can get more information on this?
Thanks.[/QUOTE]
Off-hand I don't know of anything other than the manual pages I linked above.
A session include file might be something like: [code=php] <?php $session_lifetime = 60 * 60 * 24 * 30; // 30 days $session_domain = ".example.com"; // note leading dot // make sure the specified directory is writable by the web server: $session_path = $_SERVER['DOCUMENT_ROOT'] . '/../session_data';
if(!headers_sent()) { session_set_cookie_params($session_lifetime, '/', $session_domain); ini_set('session.save_path', $session_path); ini_set('session.gc_maxlifetime', $session_lifetime); session_start(); // session will be started by this include file. } else { error_log("Headers already sent error, could not start session"); die("There was a problem initializing your session"); // or whatever you want to do in this case } [/code] Then just include that file at the very beginning of each script you want to be session-controlled.