The question is the following, let's say I am authorizing the user on the site and in case of successful authorization I set cookies (setcookie ('auth', 'yes', time () + 3600);). This cookie for example gives access to a closed part of the site. So, is it possible to create cookies on the user's machine and bypass this restriction?
1 answer
You can create it yourself, you can transfer it from another machine, you can attach it to HTTP traffic.
The easiest way to fix user authorization is to use sessions. Then, the user stores only the session identifier, and the authorization status is stored on the server.
If sessions are not satisfied with something, then a similar mechanism can be implemented.
- We generate some random number
- Write it to the database for this user. In the same place in the database write the login time
- We send the user two cookies with the identifier (or login option) of the user and the generated number.
When the user connects, we check
- Do you need cookies?
- Do the numbers sent by the user and recorded in the database
- Has the login time expired
If everything is OK, then the user is allowed, the login time and cookies are updated. MD5 hashes add to taste
Anton Shchyrov Anton Shchyrov
23.6k 2 14 45
- Do not tell me where to dig about the restrictions for viewing part of the site? where to dig? what to replace this cookie? - Dmitriy
- @ Dmitry Wrote an approximate algorithm - Anton Shchyrov
- IMHO, but it is better to use a string, not a number, session id for resetting it, and information about the user's browser. - users
- ok, thanks, let's try to implement. - Dmitriy
|
setcookie('auth','dbd4d5171a44361bc4d122f256e7c555',time()+3600);, but I want to say rather that cookies are stored in the user's browser and it must be taken into account that the user can change the cookie or create a new and trust cookie cannot, in general, like everything the user sends !!! - users