Authentication

[nadeemshafi9]

Hi guys

 

Just wanted to ask what is the best hack proof way way of authenticating a user i have a few ideas

 

1. use a session user is authenticated flag to say the user is authenticated

 

2. use a hashed timestamp and insert it into the users record and into a session variable and compare them whilst the user surfs.

 

3. store the hashed pwd and username in a session variable and log in the user each time on every opage , this would mean last login time would be hard to get.

 

 

any sugestions please, thanks

[runnerjp]

http://www.tutorialized.com/tutorials/PHP/User-Authentication/1

[nadeemshafi9]

http://www.tutorialized.com/tutorials/PHP/User-Authentication/1

 

i looked at them and althogh they point out some nice tips, they dont realy discuss a theoretical system, my aim is to not allow the hacker to exploit the session variables

[limitphp]

I'm pretty new to trying to secure logins and stuff, but from listening to everyone on this forum, here's what I do.

 

When they login without clicking "remember me" I store a uniqueID on a cookie set for about 25 minutes.

I then store that same uniqueID in a table along with their userID and an expiration date.

On any page where they need to be authenticated, I check for the uniqueID in the cookie, if its there, I get their user info from the userID in the table.

 

When they login and click "remember me", same thing, only the cookie is set for about 30 days.

 

I figure I will delete all entries in the table everyday where the expiration date expired.

 

Like I said, I'm not super good at this stuff yet, but this seems like a secure system to me.

 

 

[revraz]

Sessions are pretty tough to hack out.

 

Search for "session security" for PHP.