Seguridad al usar cookies php

I use cookies to check the user..but if someone kidnaps the cookie data, then he could pretend to be the user,.. same true with session too..

How can I make sure that when the user navigates and enters his pages, it is the actual user and not the one who hijacked the cookie/session?

(I cant make the user fill his user name and password every page, so that is not an option)

preguntado el 08 de noviembre de 11 a las 17:11

3 Respuestas

Set the "secure" flag on your cookies (see session_set_cookie_params or the ini settings), redirect all HTTP requests to HTTPS, and only generate links to HTTPS (to prevent unnecessary redirects).

The "secure" flag tells the browser to never send the cookie over HTTP, e.g. if your user were to type in the HTTP url to your site. The SSL will take care of end-to-end encryption, protecting the cookie from eavesdropping. You could additionally do an IP check, but this would be inconvenient for some legitimate edge cases.

respondido 08 nov., 11:21

You can't. If someone has someone else's credentials then the battle is lost.

Run all your data over HTTPS so it is encrypted (so safe from being stolen in transit) and trust your users to secure their own end points (since you have no other choice).

respondido 08 nov., 11:21

Ver también: Firesheep and the insecurity of open wifi. - Annika Backstrom

so there will be pages when they have to login again... hmmm.. but why hacking doesnt happen in other sites like youtube? why cant someone get your cookie and enter and edit your channel..or maybe delete it - Con gran éxito

@Adam Backstrom — Hence running everything over HTTPS. Firesheep only works because Facebook drops back to unsecured HTTP once initial authentication is done. - Quentin

@WithFlyingColors — Why will there be pages when they have to log in again? Hacking does happen in other sites, see Adam's link to Firesheep. - Quentin

ssl is what my web host provides. I think I have that..but I mean programmatically - Con gran éxito

Use a reasonable timeout (X minutes) and check for simultaneous activity from multiple IP addresses / browsers / OSes / etc. It isn't perfect, but may block most attackers.

respondido 08 nov., 11:21

No es la respuesta que estás buscando? Examinar otras preguntas etiquetadas or haz tu propia pregunta.