0

I have searched the web for "how to secure a php session" and came across this PHP Session Security

The first answer is a very good one...

I, like many others, are searching for how to create a secure "Remember me" function.

Much like the linked questions' poster, I thought it would be good to gather all information about this in one place.

If you assume I know PHP averagely, then you are correct. But I don't know much about securing PHP sessions.

Offcourse, I know how to write an unsecure "Remember me" function, which checks a cookie value (which might be hashed) against a hashed database value. If they are the same, then the user is still logged in. Simple, but dangerous!

How should I secure this "remember me" feature?

Community
  • 1
  • 1
  • 3
    any "remember me" feature is inherently insecure. – zzzzBov Nov 05 '10 at 20:43
  • So whats the bet if you had to have a "remember me" feature? –  Nov 05 '10 at 20:47
  • Why is it dangerous? You just hash the cookie value and check if the hash match in the database. If someone can access your database you have a lot more to worry than just session's safety. – Shoe Nov 05 '10 at 20:50

2 Answers2

1

There's a lot of information already linked in The Definitive Guide To Website Authentication

Community
  • 1
  • 1
Paul Dixon
  • 277,937
  • 48
  • 303
  • 335
0

Carefully "COOK" your cookie data. For all the rest check the complete guide on stackoverflow as Paul said, here

Community
  • 1
  • 1
Andreas
  • 5,067
  • 4
  • 37
  • 58