Posted by gerg on 11/11/05 22:44

BrandonR wrote:
> I'm creating a web app that requires a rather simplistic user management
> system that they can login to and do a few things. In the mySQL user db I
> have all the standard fields (for the user db) plus a unique ID field that's
> randomly generated whenever they register.
>
> When they login I store two cookies on their system, one that's their user
> id and one that's their unique id. Before doing anything the system first
> makes sure they're logged in (checks that the cookies exist) and then it
> checks the unique id against the user id to make sure they match. If they
> don't it won't allow the action and delete their cookies.
>
> Is this a good system or are there some glaring security holes in it? Of
> course I didn't want to base it right off the user id and I figured this was
> a slightly better method.
>
>
As far as login systems go, I like to use redundant security measures.
I'll have the scripts on each page check for several different items.
Such as, I use sessions instead of cookies, so you know there is no
tampering of cookies, then have the page check that the refferer was the
login page, or have the login page set a value for the $_GET. That way
if the page is accessed directly, the $_GET value won't be there and
access is denied. then you can check anything you like against the
database and if you yield the correct result then they are in!

-g-

[Back to original message]