Home > Mobile >  Why not use a long life session ID for auto-login instead of a persistent cookie with a token?
Why not use a long life session ID for auto-login instead of a persistent cookie with a token?

Time:11-14

On the PHP website it is stated that "Developers must not use long life session IDs for auto-login because it increases the risk of stolen sessions.". Instead it is recommended to use a secure one time hash key as an auto-login key using setcookie() - which then becomes a persistent cookie.

But I cannot understand how that is safer?

The persistent cookie with the token can also be stolen and stealing sessions IDs is very difficult if you make sure your website never works with HTTP only, but only uses HTTPS - like with HSTS, and also prevent JavaScript access with httponly.

What am I missing here?

CodePudding user response:

I have a guess what they mean. I believe when they say "secure one time hash key" they really mean some kind of HOTP mechanism. Then I have some more guesses what they want to achieve with it. They want to be able to terminate the sessions when they time out, but they also want the client to be able to automatically recreate the session by simply calling its internal HOTP mechanism and generating the next token and finally passing it to the server.

That's a huge amount of guessing here, but honestly, saying "secure one time hash key" does not mean a thing and such an expression is really vague.

CodePudding user response:

I think I have found the correct answer myself.

A session cookie is used to keep state between requests. It can be used to track a login during an open browser session, but the session should be ended when the user logs out or when the browser is closed. A "Remember Me" token in a persistent cookie is not used to keep state between requests, it's only used to "skip" the login procedure and give access to specific pages that other wise requires a login. When you use $_SESSION you're dealing with the session cookie and nothing but the session ID is stored in the browser or client and all the values you put into the $_SESSION array gets stored on the server in a file (by default) that contains the values in pure text.

The persistent cookie for "Remember Me" is not used for anything like that, it only keeps a hash token in the browser in order for the user to be recognized and avoid having to log in every time he visits the website.

In other words, the session cookie and the persistent "Remember Me" cookie are two different solutions to two different problems.

You can "keep state" with the "Remember Me" cookie, but that is not what it is used for and it doesn't provide you with a session. You can use the session cookie to implement a "Remember Me" functionality, but that is not what it is used for, it is used to store state variables on the server and to keep state in a session.

However, if you implement the proper security features for cookies, i.e. only serve on HTTPS and use secure and httponly, then they are both equally secure with regard to the risk of stealing the cookie or the session ID.

Page link:https//www.codepudding.com/Mobile/190899.html

Prev:Close InfoWindow on markers if user zooms out and marker is absorbed into MarkerClusterer cluster
Next:Return only the vowels in a list of strings
  • Related

About Us:  Contact Us      Terms of Service       Privacy Policy

Copyright © 2010-2023,Powered By CodePudding