Secure login/class?

[stuffradio]

I want to make a secure login, I also want to be protected against session hijacking and cookie hijacking(if I use cookies).

 

Any tips on how to do this? What do you use?

[nova912]

I also want to be protected against session hijacking and cookie hijacking(if I use cookies).

 

This is a tough issue and i have read up on it. Basically, unless you login system and back-end is behind an SSL connection you're not going to have total security, you'll have security-through-obscurity.

 

I just finished writing an authentication class for my back-end and I settled on this solution.

 

Basically, unless you login system and back-end is behind an SSL connection you're not going to have total security, you'll have security-through-obscurity.

 

You __can't__ rely on the ip_address or the http_user_agent to stay the same across the session because some ISP's will cause false or different values for both, even during the same session.

 

What i did was use a technique called a request and expiration. Basically, every time the user makes a request to continue the session they submit with their session_id, a request code that was generated on their last access. That code must match what's stored in the session. The code changes each time the user access the session. This allows for a bit more security, but it by no means prevents session hijacking -- it just makes it harder.

 

I just allowed the user to choose if they would like to enabled ip_address and http_user_agent checking. I also added a lockdown feature if an account had too many failed attempts to login, its a double edge sword because anyone can just bombard the account and cause the real user to get locked out as well. (again an option). Finally (i got this idea from a bank) i added a time lock feature that only allows users to login during certain parts of the day.

 

Hope this helps

[redbrad0]

I use http://pear.php.net/package/LiveUser/ and love it. It does a ton more then just logging in the user's. It all gives you permission based programming.

 

// I know this isnt php just easier to just type

If in group admin then

 

else if in group sales then

 

else if has the individual permission of SEND_BILLING_PAYMENT then

 

end if

[deadonarrival]

redbrad, what you typed is pseudo-code, just for future reference. It's just where you use a vaguely code-like style to put accross what you mean in real english.

 

I use a variety of techniques. The main one is to use session ID's, and only allow them to be used for a short time. regenerating sessions is one of my favourites. Store the session id in the database, and regenerate it every 10 pageviews or so - it helps to avoid session spoofing at least.

 

Store as little as possible in the session, don't store any actual data in it, just references to things you have in your DB.

 

Avoid cookies where possible. It doesn't take much effort on the part of the user to log in each time they visit, but if you provide them with an auto-login feature you've done half the breaking in yourself.

 

Store a combination of IP/user agent/session id in the database - okay, they're not perfect, but it works the vast majority of the time.

 

As with any security, it's getting the balance of protecting your data and making your app as easy as possible to use. In general.

[stuffradio]

Do you think it's ok to store the username in the session?

 

Also I'll use that 10 page view thing.

[deadonarrival]

It's okay to store the username, it's probably slightly better to store the user ID and grab the username from the DB.