database - PHP - Is this secure enough for unique session tokens? -
i creating php application , need user authentication secure possible!
once user has logged-in need set cookie (along other cookies) session identifier , has unique.
<?php // set default timezone time() function. date_default_timezone_set("europe/london"); $secure_token_length = 16; // 32-digits long. // generate unique token. $token = time() . "-" . bin2hex(openssl_random_pseudo_bytes($secure_token_length, $strong)); // set session identifier. setcookie("session", $token, 0, "/app/", false, false, true); ?>
as can see i'm creating unique token , appending current unix timestamp ensure value not generated twice, secure token stored in database within unique column , token not inserted database if in use (using php's do-while function), advice on how make more secure please comment.
if want "secure possible" please use established method rather trying create own. example, let third-party authenticate stackoverflow allows login facebook, yahoo, etc...
additionally, php has built-in session handling functions can work both cookies , databases, owasp has guide on how securely manage sessions, don't understand why you're trying reinvent wheel here generating own session tokens.
Comments
Post a Comment