Regarding PHP security with cookies and sessions, this is what i have done so far for prevention of attacks. What have i done incorrectly/unsafely?
login.php
if ($username==$dbusername&&$hashed_password==$dbpassword){
setcookie('username[0]',$username,time()+(60*60*24*365));
setcookie('username[1]',$userid,time()+(60*60*24*365));
setcookie('password',$hashed_password,time()+(60*60*24*365));
if($admin=='1') {
setcookie('username[3]',$admin,time()+(60*60*24*365));
}
$_SESSION['logged-in']=1;
logout.php
$time = time()-(60*60*24*365);
setcookie('username[0]', '',$time);
setcookie('username[1]', '',$time);
setcookie('username[2]', '',$time);
setcookie('username[3]', '',$time);
setcookie('password', '',$time);
unset($_COOKIE['username']);
unset($_SESSION['logged-in']);
I call session_regenerate_id() on everypage, is that correct to stop session fixation/hijacking?
<?php session_start(); session_regenerate_id();
Here is my PHP.ini what other ways do i provide security for sessions & cookies
session.use_trans_sid = 0
session.user_only_cookies = 1
Any examples/impovements welcomed, as i learn better with examples.
Often regenerating the session-id is done, when changing access priviledges (e.g. after a login).
The password should not be stored in a cookie on the client side, not even the hash. It’s not even necessary to store it in the session, you use it only to verify the login, and after writing the state to the session, you should forget about the password.
If you want a really safe site, you need a HTTPS connection with SSL encryption. Otherwise an attacker can eavesdrop the information sent plaintext, and use the session-id (or whatever you use to authenticate the user) to impersonate the user.