I’m building a site with user accounts for the first time. I’m in the process of making user login secure. On registration I hash the password before saving it, then on login If the pass is correct I save a cookie with the user info with setCookie.
Right now hijacking an account is as simple as modifying the cookie values. I want to make the site secure but most options I’m reading about seem too be too complex and I want to use something I can do myself. I’ve reading a couple of tutorials and have a basic idea of how to do it but don’t know how secure it is.
My idea is to make a table for sessions and store the userid + a random value, save a cookie with both and check on every page load both values against the table and renew them if they are correct. This seems simple to make and would work even if the user logs in in from different places but I don’t know how secure is it. The cookies would be visible but I don’t see any way of hijacking the session unless somebody stole the cookie and used it before it renewed.
Is this secure? What other simple approach could I use?
Why not store the username in a session variable? The client stores a random ID and presents this to the server. The server then matches this with the username (which the server has locally). Only the server can see the username. It’s also really easy to code and PHP creates the random ID and gives it to the client for you. Additionally, if the user changes the ID to something else, there’s very little chance of them stumbling upon another ID that exists and is in use by another user logged in.