On 2/28/2013 11:17 PM, Chris Wong wrote:
On Wed, Feb 27, 2013 at 8:37 AM, Corentin Dupont
wrote:
Hi Chris, Thanks! That's true for the user number. What should I do? Encrypt it?
It's not that you have a user number, or even that it's accessible: it's that it's the entirety of access control, meaning that if the user changes it they can masquerade as another user. The correct solution is that a user should authenticate, which creates a session hash that you stash away and also send back to the user as a cookie so the browser will present it on accesses. Then you check that the presented hash is there and matches the session hash. These should expire periodically, requiring the user to log back in again. Additionally, you can change the session hash with every page hit, to some other totally random hash. If someone steals your session, they had better act on it immediately, lest you visit another page and it changes completely. If your session gets hijacked, you get logged out. When you log in again the attacker loses access.
You can also check sessions by the hash and IP address. That has usability concerns though. Even if players never switch machines in the middle of a game, suppose you are playing on a cell phone and your train goes through a tunnel. When you reconnect, your provider gives you a different IP and you are logged out.