I am always wondering that the login systems I have created is vulnerable to attacks or not.
As many other programmers I also use sessions to hold a specific token token to know the login status. Cookies to hold the username or even sometime saved status.
What I am wondering is, Is this the right way? Is there any approach better than this?
分享 You could create your own custom checks on the session. Make sure it's created by the same user agent and from the same IP address.
Other than that, sessions are pretty solid.
In the login section, you would do something like:
$_SESSION['_user_agent'] = $_SERVER['HTTP_USER_AGENT'];
$_SESSION['_remote_addr'] = $_SERVER['REMOTE_ADDR'];
and then you can do a check in every request:
function sessionIsOK ()
{
return ($_SESSION['_user_agent'] == $_SERVER['HTTP_USER_AGENT'] &&
$_SESSION['_remote_addr'] == $_SERVER['REMOTE_ADDR']);
}
