Comments on: Working with Sessions and Cookies in PHP and MYSQL

By: 20+ PHP Tutorials & Resources « Powerusers

20+ PHP Tutorials & Resources « Powerusers — Tue, 29 Sep 2009 19:18:08 +0000

[...] 15. Working with Sessions and Cookies in PHP and MySQL [...]

By: Vonnero

Vonnero — Sat, 19 Sep 2009 13:05:58 +0000

Great tutorial…..thanks, please keep it up….. on sanitizing database inputs… here is a tutorial for sanitizing any input on the go…..

http://ilogical.wordpress.com/2009/09/19/form-validation-made-easy/

contributions or refactoring is highly appreciated….

By: David Riveroll

David Riveroll — Fri, 14 Aug 2009 06:34:12 +0000

This is just what I needed.
I’d like more security related tutorials as this one, I’ve never had any worries cause my websites weren’t worth hacking, but now I’m getting bigger projects and I want to be prepared.

Thanks a lot for your input Aditya

By: Rocky

Rocky — Wed, 12 Aug 2009 15:29:10 +0000

Quote:

function session_encrypt($string) {
$salt = ‘asdfsdfsdfa’;
$string = md5($salt . $string);
}

Dont u mean

function createsomesortofhash($fromthisstring){
$salt = “sosdldsldsldsksdklds”;
$string = md5($salt,$string);
}

because you are using the salt at the start of the string!?

By: Miles Johnson

Miles Johnson — Sat, 01 Aug 2009 04:54:35 +0000

I wrote a session class that manages sessions, some people could probably learn from it.

http://www.milesj.me/resources/script/session-manager

By: Roman Cortes

Roman Cortes — Fri, 31 Jul 2009 16:42:16 +0000

Please, correct that insecure mysql injectable code!

Why are you writing an article on security if you don’t take the time to make the sample code secure!?

I’m sure your blog have a lot of readers… please take care of them by correcting the unsafe samples soon…

Also, be free to delete this comment, I just wanted to show my worries to you.

By: David the Day

David the Day — Fri, 31 Jul 2009 16:18:03 +0000

You can also add IP checking to this method. While user’s IP address do change, they are not likely to change in the middle of a session. So adding an IP field to the database, and checking that the IP is the same for a session is an additional check against session hijacking. I added an article below that uses the IP field as well.

Here is the article, look at the cookie/session model (NOT the HTTP/HTTPS model). It uses oracle for the DB, but it’s very easily converted to MySQL: http://www.oracle.com/technology/pub/articles/mclaughlin-phpid1.html

ADDITIONAL NOTES (IMPORTANT!!!!):

As others have stated, the author doesn’t touch on SQL injection attacks, and they’ve posted sanitation methods. There is also another method: prepared statements. Look up mysqli prepare, it does all the sanitation for you

Also, this article and the one I’ve provided use either MD5 or sha-1. Both of these encryption methods have been hacked. It’s best to use something stronger, such as sha-256, sha-512, or whirlpool for example.

By: In the Woods - Working with Sessions and Cookies in PHP and MYSQL « Netcrema - creme de la social news via digg + delicious + stumpleupon + reddit

Fri, 31 Jul 2009 10:40:52 +0000

[...] In the Woods – Working with Sessions and Cookies in PHP and MYSQLblog.themeforest.net [...]

By: onnay okheng

onnay okheng — Fri, 31 Jul 2009 10:10:18 +0000

that’s excellent..
thank’s…

By: J.R.

J.R. — Fri, 31 Jul 2009 10:04:36 +0000

Another good secure idea is to use the secure flag on your cookies, even ones with session. Also not a bad idea to use HTTPOnly but ti depends on what you are doing.