Programming Forums > Web Development and Design > PHP

Xeoncross · Feb 2nd, 2007, 12:07 PM

Ok, I am trying to make as secure of a script as I can without using SSL. I found a page on it (http://www.devarticles.com/c/a/MySQL...ssions-in-PHP/ ) and I want to know if this is right:

Say I have a user table something like like this:

CREATE TABLE users (
username varchar(255) NOT NULL,
email varchar(255) NOT NULL,
password varchar(255) NOT NULL,
sid varchar(32),
)

Every time someone logs in I create a SID value and stick one copy in the user's database table and another in a cookie to give back to the user. Then every time a page is requested I check the session ID in the cookie against the one in the database and if it is found then I let them in. Now, is there anything else that I could do to make the session ID more secure?

Should I make a new table and call it sessions and make have it contain the SID and userID?

Also, I have lots of strlen(), mysql_real_escape_string(), gettype(), etc... functions to clean the values so don't worry about that. I just want to know how to keep the user's sessionID from being hijacked by a hacker.

Thanks,
David

Xeoncross · Feb 2nd, 2007, 12:45 PM

Ok, I have found some more reading if anyone else is interested:

Store Session Data in a MySQL Database
Download Chaper 4 of phpsecurity
Trick-Out Your Session Handler
PHP 101 (part 10): A Session In The Cookie Jar
Session Handling with PHP 4

http://www.480x.com/2006/05/23/php-o...anced-servers/

Feb 2nd, 2007, 12:07 PM	#1
Xeoncross Newbie Join Date: Aug 2006 Posts: 11 Rep Power: 0	Session's - Is this the best way? Ok, I am trying to make as secure of a script as I can without using SSL. I found a page on it (http://www.devarticles.com/c/a/MySQL...ssions-in-PHP/ ) and I want to know if this is right: Say I have a user table something like like this: CREATE TABLE users ( username varchar(255) NOT NULL, email varchar(255) NOT NULL, password varchar(255) NOT NULL, sid varchar(32), ) Every time someone logs in I create a SID value and stick one copy in the user's database table and another in a cookie to give back to the user. Then every time a page is requested I check the session ID in the cookie against the one in the database and if it is found then I let them in. Now, is there anything else that I could do to make the session ID more secure? Should I make a new table and call it sessions and make have it contain the SID and userID? Also, I have lots of strlen(), mysql_real_escape_string(), gettype(), etc... functions to clean the values so don't worry about that. I just want to know how to keep the user's sessionID from being hijacked by a hacker. Thanks, David __________________ Xeoncros Website Design - Christian Cosmos - Learn PHP Free - Code 2 Design

Feb 2nd, 2007, 12:45 PM	#2
Xeoncross Newbie Join Date: Aug 2006 Posts: 11 Rep Power: 0	Sessions Ok, I have found some more reading if anyone else is interested: Store Session Data in a MySQL Database Download Chaper 4 of phpsecurity Trick-Out Your Session Handler PHP 101 (part 10): A Session In The Cookie Jar Session Handling with PHP 4 http://www.480x.com/2006/05/23/php-o...anced-servers/ __________________ Xeoncros Website Design - Christian Cosmos - Learn PHP Free - Code 2 Design Last edited by Xeoncross; Feb 2nd, 2007 at 12:47 PM. Reason: more links...

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
PHP sessions/ page refresh???	ktsirig	PHP	2	Jun 1st, 2006 4:16 PM
Little help on sessions?	ktsirig	PHP	0	Mar 2nd, 2006 5:23 PM
PHP sessions... Where to start from?	ktsirig	PHP	1	Feb 27th, 2006 5:31 PM
trouble with sessions	k4pil	PHP	5	Nov 10th, 2005 10:42 AM
Strange PHP Sessions Errors	stakeknife	PHP	2	Apr 14th, 2005 7:24 AM

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)

Programming Forums > Web Development and Design > PHP

Session's - Is this the best way?