next »

[Delusional]

alot of noob coders say that using sessions are alot more secure. well sorry to break it too you but the use of sessions doesn't make the site more secure, unless the sessions are accompanied by cookies.

the cookies creation in most scripts can be injected simply because the cookies are being made incorrectly. cookies need to have 5 variables to work right, most scripts like yob and gen2 only construct cookies with 3 of the 5 required variables.

[legolasoft]

+1

[mc2w]

This sounds interesting. Can we get some more info about keeping login sessions secure using cookies? I mean, you only say how many variables to use, but not much else.

[Delusional]

This sounds interesting. Can we get some more info about keeping login sessions secure using cookies? I mean, you only say how many variables to use, but not much else.

many cookies creation on scripts like yob, gen2, and aurora use the following format

Code:

setcookie("user", "username", time()+3600);

this is wrong and is depreciated. the correct way would be this way

Code:

setcookie("user", "username", time()+3600,"/",".domain.com");

this is a secure cookie also you would want in the header some where

Code:

setcookie("user, "username", time() - 3600, "/",".domain.com");

also make sure that any file that requires access with a cookie and/or session you have

Code:

session_start();

one line below

Code:

<?php

[daveoffy]

<deleted>

[Delusional]

That is very useful. I am going to change all of my sessions soon into cookies. *bookmarks*

i woul;dn't go that far. session are more secure that cookies are.

[daveoffy]

<deleted>

[Delusional]

Well im not going to change ALL of them but I am going to add some cookies so members can stay logged in. My friend on a mac always have problems on my site with sessions, he always gets logged out every few mins.

then the time that was set on the sessions were not high enough, you might try to put in an if statement based on users user-agent or os.

[Moderator1]

thnx 4 ths useful info...

[Miguel]

looks like this guys above is just posting to make up posts so he can enter the weekly draw

[Delusional]

yeah, should prolly report him, alot of ppl have been doing that and getting the $10 i think only those with a high post count should get into the contest, those of us that are actually active.

[Miguel]

yeah, should prolly report him, alot of ppl have been doing that and getting the $10 i think only those with a high post count should get into the contest, those of us that are actually active.

I agree with you.

[Delusional]

ty, ok back on topic