Best practices for a login system Sessions/Cookies

Asked

Viewed 1,095 times

3

I would like to know some important points when making a login system:

Sessions x Cookies

  • Which is the most appropriate in security matters?
  • Which uses the least server resources? (case in a large application)
  • What’s the fastest?

And other important tips for a more efficient system.

php session cookies

1 answer

5


In security matters: Session wins because cookies are text files saved on the client computer, so they can be manipulated.

However, to avoid manipulations of Session, you must specify some settings if security (for more information read the PHP page about Sessions and security, that will help prevent Session Hijacking and Session Fixation:

    ini_set('session.gc_maxlifetime', ($timeout * 60)); // tempo máximo da seção em segundos
    ini_set('session.use_strict_mode', true); // aceitar apenas sessões criadas pelo módulo session
    ini_set('session.use_cookies', true); // usar junto com use_only_cookies
    ini_set('session.use_only_cookies', true); // cookies gerados apenas pelo proprio usuário
    ini_set('session.cookie_httponly', true); // cookies só acessíveis por HTTP (não JS)
    ini_set('session.cookie_secure', true); // cookies só acessíveis por HTTPS
    ini_set('session.hash_function', 'sha512'); // criptografa session: dificulta Session Hijacking       
    ini_set('session.use_trans_sid', false); // suporte a SID transparente desabilitado
    ini_set('session.referer_check', 'https://www.seusite.com.br'); // checa o referer
    ini_set('session.cache_limiter', 'nocache'); // não fazer cache
    session_regenerate_id(); // renova ID da seção
    session_start(); // IMPORTANTE: ao final dos comandos acima

Ideally, for security reasons, use HTTPS for everything, but if you do not have HTTPS available on your php server, you will have to set:

ini_set('session.cookie_secure', false);

Which uses the least server resources: Cookies, can be manipulated only by the client’s computer through Javascript.

What’s the fastest: Cookies, as they do not need to make requests to the server.

Final considerations: Use SESSION to store confidential data and COOKIES for other data.

NOTE: The Storage feature for JAVASCRIPT is now available, better and faster than cookies.

sessionStorage = data is CLEAN when the browser is closed

localStorage = data are stored indefinitely

Use:

sessionStorage.setItem('variavel_temporaria', 'valor da variavel'); // seta valor
var conteudo = sessionStorage.getItem('variavel_temporaria'); // lê valor

localStorage.setItem('variavel_tempo_indeterminado', 'valor da variavel2'); // seta valor
var conteudo2 = localStorage.getItem('variavel_tempo_indeterminado'); // lê valor

I hope I’ve helped!

  • Thanks for the reply, cleared enough, but in relation to the Siession Hijacking and fixation the vestments you passed would already solve that?

  • Yes, and to increase the security level, I added: referer_check, Session.cache_limit, use_strict_mode, hash_function.

  • Opa, thanks again, these parameters of init_set and session_regenerate_id should be set at the beginning of the application? or only the regenerate_id that has to be set when the session is created? for example, when the login is successful

  • At the beginning of the application.

  • Ok, last question, for example, the application would be active then still with Sesssions, saving the most sensitive information like email, password and etc, and cookies less important information, in relation to server consumption by Sesssions in a large application, would not give any problem or depends on the server? had also heard about tokens, with these settings it is still necessary to use?

  • Tokens would replace cookies for less sensitive (nonconfidential) information. As for Sessions, it depends on the number of Sessions VS simultaneous users resources and server configuration.

  • I understand, so in case it would be better to open another discussion about server resources x Sessions, Thank you!

  • That mistake came back to me: A Session is active. You cannot change the Session module’s ini Settings at this time on line 18. Line 18: ini_set('Session.use_trans_sid', false);

  • 1

    I put the session_start after all, it seems that solved, but it should be before or after the regenerate_id?

  • You have to call session_start(); after these commands, not before.

Show 5 more comments

Browser other questions tagged php session cookies

You are not signed in. Login or sign up in order to post.