Printable View
Okay the problem I'm having now is security. I see holes in my security but the only way I know to fix them is to run a query each page refresh which I would hate to do.
Anyone have any ideas for a good cookie system where I'm not constantly querying? I can't see anyone but I figured I should make sure before writing the entire script system lol
My CMS works kinda like that :
If user comes to site in first time, CMS creates guest cookie + inserts session values in DB
If user refreshes the page, CMS updates his cookie and session value .
If user logged in, his cookie value and session values changes .
admloki,
so how do you protect your website against fake cookie's,
if the user really has a account?
since your not talking about anything db related.
The way i do it user comes to site i actually dont do anything..
user logs in i generate a login-ticket or what ever you wanna call it if the login is correct,
and place it into a cookie.
ofcourse the account + ticket only work from the ip they logged into so the ip also gets stored into the db,
when they visit a page or refresh the ip + login-ticket get compared if account found user is logged in else not.
login-ticket is a md5 hash so i first check if there is actually a cookie and if its a md5 hash before using it in the db.
i wouldnt put the username or password in cookies doesnt really looks secure..
Cookie information should always be checked. You cannot trust the information of cookies, therefore you should run a query everytime the page loads to check if the user is really the user with the right login details.
But perhaps you can set sessions and use cookies together...that way you might not need a query everytime the page loads...need to think about it if it has no holes...interesting for my new projects :)
Sessions can be editted just like cookies though. Maybe not by the most simple minded but they can be changed non-the-less.Quote:
Originally Posted by Daevius
Right now I have my login verification function set to run cookies and queries so at least I don't have to change it lol.
I guess I'm stuck running queries each refresh >.>
There are a few other ideas but they can be broken into. Dam I tried to avoid it...
I guess you will have to yes. But I thought sessions were stored by the server...?
You're right...Quote:
Originally Posted by Daevius
I wonder what the 'Clear Authenticated Sessions' is on my browser then >.>Quote:
...cookies are stored on the client, while the session data is stored on the server.
My bad...
k new system:
ver function:
gets cookie vars
if the session for the userid is set compare details
if not, run a query to compare cookie to db
if good continue else clear cookies, sessions, etc and redirect
---
Sessions have a problem with redirects though so I'll probably have to run queries after each redirect, no matter the circumstance.
However, that'll keep me from running queries very page ^_^
- MISSION ACCOMPLISHED! -
Okay I guess someone will read this...
Instead of making a new thread I'll try here.
Can you make a function replace a pre-defined function?
I've grown to love some oop features but I hate having to do all the work behind it.
Essentially I want to extend a function.
What I want to do is, just to keep things simple:
extend works in class but,PHP Code:function mysql_query($str,$res){
globals <blah>;
if(super.mysql_query($str,$res)){
return <do stuff to blah>;
}else{
return false;
}
}
1. I don't like writing classes
2. I want to extend a pre-defined function, not a class (mysql might be in a class, idk).
Yay :), good job ;). I'll try to make it too and see if its fail save. Because it would improve effiency :D, thats what we want ;).