Problems with tokens stored in Session?

Asked

Viewed 180 times

0

I am developing an application in php and in the authentication part I have the following code :

    public function chamaApi(){
        // chamada na api via curl  
        $profile = json_decode($response);

        if($profile->error != true){
           self::openSession($profile->data->api_key);
        }
    }

$profile gets the result returned by API, (Login user ID, api access token, name and email).

public function openSession($profile){
   $_SESSION['profile'] = $profile;
}

My question is whether there is any problem in managing the session using the token of access to API (unique to each user). And if there is a problem, what would be the best way to manage Session for application security?

PS: no use framework!

php session token

1 answer

2


Dude, if the token value is not visible in the cookie, then it’s okay. As this value is saved to the server-side, the user has no access and consequently is not a problem.

In standard authentication mode, we usually put the user id directly into the session, it alone is able to give access to everything that particular user can do.

The same thing would happen with this token, the difference is that instead of an id, you are using a random string that connects to the API.

The most important thing is that you are working on this session management in the most secure way possible, avoiding Session Hijacking, etc. Because this can be a problem.

In a very common way, an extension can take the value of the cookie and pass it to another user, and he can set the cookie directly on the site and have access to what the user was accessing from another machine.

If you are working with Composer in your application, I recommend you know the component Httpfoundation Symfony. It has several utilities to deal with requests, etc., but what I see the most fucked up about it is session management. It is the same used in the Framework itself and is very safe and simple to use.

PS: you do not need to use the full framework to use this component.

Browser other questions tagged php session token

You are not signed in. Login or sign up in order to post.