|
Posted by JamesB on 11/23/09 11:27
I am half way through making a site you can only do certain stuff if logged
in to.
So far, you are logged in if there is a session variable with your username,
but I got thinking that presumably someone who worked this out could make a
cookie file with this info in and pretend to be another user. So... what's
the recommended way?
I thought of storing an MD5 hash of the login time in the session and in the
database too, then on each page, comparing the session variable to that in
the db. Theory being, if a hacker had tried making their own cookie file
they wouldnt have the right hash.
Sound reasonable? Or is session info secure enough anyway? Its not a D.O.D
site or anything, but might as well make it right from outset...
James.
Navigation:
[Reply to this message]
|