Ok, I am trying to make as secure of a script as I can without using SSL. I found a page on it (http://www.devarticles.com/c/a/MySQL/Security-and-Sessions-in-PHP/ ) and I want to know if this is right:
Say I have a user table something like like this:
CREATE TABLE users (
username varchar(255) NOT NULL,
email varchar(255) NOT NULL,
password varchar(255) NOT NULL,
sid varchar(32),
)Every time someone logs in I create a SID value and stick one copy in the user's database table and another in a cookie to give back to the user. Then every time a page is requested I check the session ID in the cookie against the one in the database and if it is found then I let them in. Now, is there anything else that I could do to make the session ID more secure?
Since I want to store these in a database so do I need to make my own session functions?
Should I make a new table and call it sessions and make have it contain the SID and userID?
Also, I have lots of strlen(), mysql_real_escape_string(), gettype(), etc... functions to clean the values so don't worry about that. I just want to know how to keep the user's sessionID from being hijacked by a hacker.
Ok, here is some more reading if anyone else is interested:
Store Session Data in a MySQL Database
Download Chaper 4 of phpsecurity
Trick-Out Your Session Handler
PHP 101 (part 10): A Session In The Cookie Jar
Session Handling with PHP 4
Hey,
Should I make a new table and call it sessions and make have it contain the SID and userID?
I would create a new table for sessions with just the userID and the SID. There will be a lot less searching for the DB to do. The user table that you posted as an example would have to search the 4 key in each row to find the right one. With a session table it would only have 2 keys to sort through.
by the way... I love the new site
God Bless,
StarTrak118
