I’m looking for a way to protect my php session that contains important information. Using an IP verification is not a good idea for people on the phone. That’s why I thought it might be smart to store a randomly generated key in the session and in a classic cookie. Then every x minutes check that the two keys match. Is this a good idea? I didn’t find anything about this in my search. Thank you for your feedback, Jesver
Advertisement
Answer
It’s partially a good idea.
Usually it is enough to protect a session with a (personal) account and a password (a key). The accountname should not be too generic like ‘admin’ or ‘root’, and the password should contain enough entropy, which makes passwords hard to predict (and hard to remember, hence the usage of password managers).
One reason to add an extra crypto safe key via JavaScript is to prevent cross-site request forgery (CSRF). The key is only known to the JS context and also stored in the session. The CSRF token must then be sent along with every HTTPS request, and it must match the value from the session, otherwise the request must be rejected.
You can read all about this and other prevention mechanisms on the OWASP Cheat Sheet Series site.