I have build a php website, you can enter your login information and it safes a authentication cookie in your browser. After that a SESSION variable called 'user' is created and you can continue to the user specific pages. My question is, when the user switches to another page for example his settings should i check his login information again(hash auth_token and compare it to the value in db) or is it enough just to check isset($_SESSION['user'])

CodePudding user response：

Sessions are stored on your server, and cannot be directly accessed by the visitor of your website.

This means that if you make sure that $_SESSION['user'] can only be set when the visitor enters valid credentials that you don't need to check the cookie every time. You simply rely on the session cookie. Checking it cannot hurt though, so why not do it?

Note that it is possible for a hacker to copy the cookies and pretend to be someone they are not. This is called "cookie spoofing" or session hijacking. Erasing important cookies when an user leaves the website can already defend against that quite well.

You're being somewhat vague about what you store in the "authentication cookie", but I think you're using random tokens which you store in the database and link to an user. That's a good idea. It is important to generate a new token every time an user logs in, and let tokens expire after a certain period if they're not used.

CodePudding user response：

Yes , Just verify the authentication session variable :)