0

I working on a login system that creates a session for the user once he logs in. I am attempting to make the system as secure as possible. I found some resources that claim session_start() itself is insecure and recommend taking extra steps to secure it. See: How to create bulletproof sessions and Secure login system with PHP and MySQL. I played around with WireShark and saw how easy it was to find the login credentials (sent with POST) and cookies when I used an HTTP Connection. I made the website automatically redirect to HTTPS and now I'm unable to find the credentials (side note: what does "Encrypted Handshake" mean?). I saw this post and it says

There is no such thing as secure cookie UNLESS it's transmitted over SSL only.

So it led me to think that using HTTPS is enough for a secure login system. Is using session_start() and only that secure now that I am using an HTTPS connection or do I need to add further security measures?

Community
  • 1
  • 1
Eric Wiener
  • 4,929
  • 4
  • 31
  • 40

1 Answers1

1

HTTPS and session_start() are addressing two separate problems. HTTPS prevents the probability of middle man attacks. Where as sessions manage which user has credentials to do what (and what user). When hacking PHP sessions, it is usually done through brute force or through a browser export or through a compromised computer. PHP is an open source project, meaning that anyone can view the algorithm they use when creating sessions. A hacker used this to rule out all unnecessary to check possibilities and hacked someone based on sessions. Creating your own would make your site harder to hack (assuming you make your id's long enough and etc.) That being said, unless I was writing a banking website, I wouldn't bother.

Neil
  • 14,063
  • 3
  • 30
  • 51
  • Thanks for the response. Just to make sure I'm understanding correctly: if someone gets access to the session id, they can pretend to be that user. This is done with a brute force attack to try to guess the session id. Since my user data isn't anything too sensitive, it would be sufficient for me to just use session_start. If I wanted to add in some extra protection, I would have to make generating the id more extensive. Have I gotten everything correct? – Eric Wiener Mar 17 '17 at 22:47
  • Yes, but when I said session id, I meant all cookies setup by a PHP session. – Neil Mar 17 '17 at 22:48
  • Got it. Thanks so much. – Eric Wiener Mar 17 '17 at 22:49