Handling sessions with php question
For my project id like to start the session after they are successfully logged in and transferred to their userpage. I'm curious though how to store the session like do I use the
user_id
assigned to some other id or something in order to keep track of it being active. I tried reading the php docs on it but I got a bit confused. Any insight on handling sessions is most welcomed. I'll share my code for my login page so others can let me know if im doing this wrong. Thanks!8 Replies
im afraid i cant answer your session question, but i'd like to point out something related to the form. i am taught to use a csrf token in forms like this. a csrf token is a token that can improve security against cross site script (xss) attacks. its used to check if the form that has been sent to your validate page comes from your login page.
on the login page you add something like this. you start a session, create a unique token and add it to the session
and in the form you add an hidden input that contains the token as value
on your validation page you compare the token value from your session with the token value from the hidden input. if its the same, you are certain that the form came from your login page
hope this helps :)
interesting
can the hidden field be exploited?
technically yes, since its visible and editable in the inspector tool, but if someone changes the value it wont be equal to the value in the session
only im not sure if it completely eliminates the risk of an xss attack or if there are better alternatives
hmm well the
$token
value is getting echo from the above php code so the token's I think can still match?
ill look into csrf tokens
here's my attempt
helper I made to check