alternatives to SESSION and COOKIE?

A session PHPsecurely saves the username, login state, and other things in the $_SESSIONarray, since it's stored on the server. The only thing that is sent to the browser is a cookieunique one (called PHPSESSID unless changed by php.ini ) containing the IDsession ID, which is a unique random number.

Once your visitor has an active session every time they request a page you have session_start()at the top, it session_start()will watch the request for a cookiecall PHPSESSID, read the session file from the server (if the session exists and is valid) , and restore the $_SESSIONarchived set . This array never needs to leave the server.

The cookiesession one is set without an expiration date (unless you mess with the session.cookie_lifetimeoption in php.ini ) , so the browser clears it on shutdown. The session file on the server has an expiration time, managed by session.gc_maxlifetime(in seconds).

Path to more secure sessions:

• Use bcrypt, scrypt, Argon2, or PBKDF2 to crack your passwords.
• Use PHP's built-in session management system (more info english spanish )
• Use HTTPS everywhere, with Hypertext Strict Transport Security
• Use a Content-Security-Policy header to update insecure requests

• If you need to implement a cookie"Remember Me", follow the instructions in the blog post.

  1. Generate two random tokens: a selectorandidentifier
  2. Store the selectory identifierin an HTTP cookie, set the httpOnly = truey secure = trueto only be accessible over HTTPS (and hidden from JavaScript)
  3. Save the selectorand a hash (SHA256 is fine here) of the identifiertoken table
  4. Authenticate the user, based on the token stored in your cookie, in constant time .

You can see more information about sessions and security here .

What not to do in a Secure Login Systems

• Do not store passwords in the database without updating; This is never a good idea!
• Don't encrypt or scramble passwords in a simple way
• Don't use a weak hash function (MD5, SHA1, etc.)
• Don't use an insecure random number generator (which you want to use random_bytes(), and if you're using PHP 5, random_compat ).

You can configure them cookiewith the session_set_cookie_paramsfunction or within your php.ini.

session_set_cookie_params($lifetime = 0, $path = '/', $domain, $secure = true, $httponly = true);

Finally, you need to create a script to log users out of session (and encourage them to use it instead of just browsing). This is a sample script:

<?php
  session_start();
  $params = session_get_cookie_params();
  setcookie(session_name(), '', 1, $params['path'], $params['domain'], $params['secure'], isset($params['httponly']));
  session_regenerate_id(true);
  session_destroy();
  session_write_close();
  header('Location: your_login_page.php');
  exit;

Also after a successful login or logout, change the session id :

session_regenerate_id();

to log out:

session_regenerate_id(true);

This post explains the following Source in theory and the Gatekeeper that implements it.

font

Now you can investigate further.

Try using the browser's LocalStorage. With javascript it's pretty easy to implement and has saved my life several times when I want data to persist from session to session. Here is an example. Now, regarding security, well, if I tell you in advance that it is editable by the user with knowledge of the subject. But it's up to you to implement measures to validate that information before using it. Finally you can use the database to manage the user information and that is not access to it.

So how can the user's identity be securely stored so that it cannot be changed or deleted when the browser is exited?

You cannot prevent the user from deleting or modifying their session cookie. The user can always modify their session identifier, or delete their cookies so that on the next visit they do not detect that it was the same user. Using LocalStorage does not fix this, as the data in LocalStorage can also be modified by the user.

And so it should be, for privacy reasons. You can't force a user to send his ID to your server if he doesn't want to.

On the one hand, the information in cookies can be modified by the user, so storing, for example, a user's ID is not recommended.

For this reason, what is stored in the value of the cookie is only the session ID, and the data (such as the user ID associated with said session), is stored on the server. This way the user can only change the session ID, which should be random enough to avoid this.

Finally, a piece of advice: the session and cookie system is perfectly safe as long as it is used correctly. Do not reinvent the wheel and make sure you use these systems correctly.

I'm a newbie and I'm trying to put myself in the place of the questioner. That's why I kept thinking about your comment: "... for privacy reasons. You can't force a user to send his ID to your server if he doesn't want to..." But you can know the IP address from which he logs in. Is not true? The data of the IP of the "visitor" is not a minor data, to know from where we are creating security problems. I don't think the questioner is trying to reinvent the wheel. It would seem that he has an interest in beefing up security. It wouldn't change anything, but it would add more security. In the event of security attacks, I would create an "IP blacklist". But my proposal would exceed what is asked here.