Solved thread

This post is marked as solved. If you think the information contained on this thread must be part of the official documentation, please contribute submitting a pull request to its repository.

What better method to create authentication?

I can use Cookies and Sessions. But authentification in Vokuro or Invo is dropping quickly (these uses sessions). I think, the use of cookies doesn't very safe, but keeping sessions loads the server.

I've read that I can use Redis or Memcache for create authentication. But what will I have the advantage over the cookies? How can I do it better? What would you choose? Redis sessions or cookies?

Thank you beforehand.



78

(Just a side remark en passant) If you install Redis, be sure to restrict access from outside...



38.3k
Accepted
answer
edited Apr '16

First of all, to clarify: Sessions are variables stored on the server, each of them tied to a particular client session. These client sessions are identified by cookies, for eg: the $_SESSION global you use in PHP knows which variable to read by the PHPSESSID cookie sent by the client browser Cookies are passed along with http requests, session variables stay on the server. Storing auth information either in sessions or cookies will get you the same security bottleneck, the cookies.

Now, session timeout can be tweaked, the default file based ones with session.cookie_lifetime and session.gc_maxlifetime in php.ini. If you use redis or memcached timeout can be set for each as options. Using redis/memcached instead of the default file backend won't be inherently safer, only faster.

As for your original question, to make authentication safe these are the general rule of thumbs:

Short inactivity timeouts, ~10 minutes. This is not the same as session timeout, those can be as high as hours, but inactivity on the site should invalidate the current session.

HTTPS protected and forced site

If remember me is allowed, store a token in the db and as a cookie. Using a token instead of a boolean value will give an extra layer of security against session hijacks.