I'm trying to implement high security on a website but while I thought my code wasn't good enough, it seems to be higher than other articles out there. However I was wondering if someone could have a look at the following code and tell me what the difference is between using the setcookie() line or the session_start() option. I've googled a lot of answers as well as on Stack Overflow but can't get a decent explanation.
In my authentication page:
// Generate unique 32 byte string for session value
$SALT_BYTE_SIZE = 32;
$sessionValue = base64_encode(mcrypt_create_iv(SALT_BYTE_SIZE, MCRYPT_DEV_URANDOM));
// Store user details in encrypted session variable
session_regenerate_id(true);
ini_set('session.cookie_lifetime', 0);
ini_set('session.cookie_secure', 1);
ini_set('session.use_strict_mode', 1);
ini_set('session.hash_function', 'sha256');
setcookie("sessionIdentifier", $sessionValue, 0, "/sessions", 'domain.com', 1, 1);
//session_start();
//include_once '../includes/session.inc';
$_SESSION["user"] = $user;
$_SESSION["sessionIdentifier"] = $sessionValue;
// Redirect to admin home page
Checked at the top of every secure page:
ini_set('session.use_cookies', 1);
ini_set('session.use_only_cookies', 1);
session_start();
function check_auth() {
ob_start();
if ( (!isset($_SESSION['sessionIdentifier']) || (!$_SESSION['sessionIdentifier'] == "")) && (!isset($_COOKIE['sessionIdentifier']) || !($_COOKIE['sessionIdentifier'] != "")) ) {
header("Location: http://www.........");
}
ob_end_flush();
}
Can any one help please? Or is the rest of this code even correct?
Many thanks, Steve
Aucun commentaire:
Enregistrer un commentaire