User Login & Sessions :Safe or Not_问答_开发者

开发者 https://www.devze.com 2023-01-17 12:31 出处：网络

DB table: login_info -------------------------------------- login|passwd|company | --------------------------------------

DB table: login_info

--------------------------------------
| login      |  passwd    |  company |
--------------------------------------
|company1    |  passmd5   | company1 |
--------------------------------------
|company2    |  passmd5   | company2 |
--------------------------------------
|company3    |  passmd5   | company3 |
--------------------------------------

once login matches, the login name and company name is saved in a session variable.

$_SESSION['SESS_MEMBER_ID'] = $log['login']; //where $log is the mysql_fetch_assoc result array开发者_如何学编程
$_SESSION['log_company_id'] = $log['company'];

Then using the stored company name in the session variable, the company details are loaded from a company specific db. I am not relying on cookies for storing this information. Is this method safe? Should I do something else? Any other security measures that I should know of?

instead of storing the loginid in a variable and just "assuming" that its the same person you might want to store the session as a record in a database. then have the id of this record in the session variable.

That way you can store the user's IP address in the database and when you check the session you can check the ip address against the session in the database - this will eliminate session hijacking and will add more security.