Session Tokens for Log-in

tanger has asked for the wisdom of the Perl Monks concerning the following question:

hey, I was just wondering if theres anywrong with session tokens to track log-ins. (members_area.pl?user=test&session=AsdDx35D234m1d)

When a user log-ins, I generate a 16 character session token that is stored inside a MySQL db.

The session token will expire after 60 minutes of inactivity. I'm also going to make a feature where it also logs the IP with the session token, therefore it prevents someone from a different computer trying to use a session token thats currently active.

Is there anything wrong with this method? Is it used quite often ? Am I forgetting about any other security risks involved?

ty tanger

Comment on Session Tokens for Log-in

Replies are listed 'Best First'.
Re: Session Tokens for Log-in by friedo (Prior) on Apr 17, 2005 at 05:17 UTC
There's no guarantee that a user will be coming from the same IP address for every hit. AOL users, for example, have rotating proxy servers. I would use something time-tested like CGI::Session instead. It has an interface for MySQL databases and makes all the session-handling details easy as pie.	[reply]
Re: Session Tokens for Log-in by NetWallah (Canon) on Apr 17, 2005 at 05:22 UTC
Am I forgetting about any other security risks involved ? That depends on the value of the assets involved ; how much user convenience you are willing to sacrifice to beef up security; how much security effort you want to put in and what is the likleyhood of bad guys desiring to break into your system. Basically, your system is adequate to prevent access by a medium-energy, casual thief. Unless finance or very private information is involved, that is usually good enough. Besides you get much less bang (security) for the buck (additional security effort) beyond this point. The only thing I'd add is SSL/HTTPS. "There are only two truly infinite things. The universe and stupidity, and I'm not too sure about the universe"- Albert Einstein	[reply]
Re: Session Tokens for Log-in by tanger (Scribe) on Apr 17, 2005 at 05:55 UTC
I just learned about CGI::Session, it even does cookies too... Should I bother with cookies? The site is not financial, ecommerce, or not real private information, but it does provide a service that costs money--therefore any one who would want it free might want to hack into it hah. it does have https/ssl so thats a good thing :) tanger	[reply]