Jump to content

User authentication system

liad

By liad
in PHP Coding Help

 Share

Recommended Posts

liad Newbie

liad

Posted
Posted

Hey,

 

While building a user authentication system I came up with this question:

 

Once a user logged in, im checking his username and password and in case its all ok, I make some sessions with his info.

 

After he logged in, is it enough to check for a $_SESSION['loggedIn']==1, or should i check his info with the DB entries anytime he goes to another page in my site?

Link to comment
Share on other sites
PFMaBiSmAd Advanced Member

PFMaBiSmAd

Posted
Posted

 

 

It depends what your authentication system is being used for. For example, a forum checks the user record in the database on each page request in case a mod/admin has disabled an account to prevent a spammer from posting. And no, real scripts don't go through the unnecessarily complex step of finding and modifying the specific session of that visitor to do this. A top level single point of control is used for account management purposes.

Link to comment
Share on other sites
liad Newbie

liad

Posted
  • Author
Posted

So in case my site has a few access-levels and different content for different users, I should check all of their information from the DB in every page and not save it in sessions? security and efficiency wise.

[and for a site with a lot of users]

Link to comment
Share on other sites
9three Regular Member

9three

Posted
Posted

I use user agent as part of my session apart from the username/password/etc to have extra security:

 

public function check_user()
{
	session_start();
	session_regenerate_id();
	if(session_regenerate_id() != $_SERVER['HTTP_USER_AGENT'])
	{
		$_SESSION = array();
		session_unset();
		session_destroy();
		header('index.php');
	}
}

 

No need to query the DB thus making your application faster.

Link to comment
Share on other sites
liad Newbie

liad

Posted
  • Author
Posted

I use user agent as part of my session apart from the username/password/etc to have extra security:

 

public function check_user()
{
	session_start();
	session_regenerate_id();
	if(session_regenerate_id() != $_SERVER['HTTP_USER_AGENT'])
	{
		$_SESSION = array();
		session_unset();
		session_destroy();
		header('index.php');
	}
}

 

No need to query the DB thus making your application faster.

 

I'm not sure I understood what you did here...:S

 

What if you change their level after they logged in?

 

The only way Ill change their level is if theyll ask for a change. and that will update the DB and the sessions if exists.

Link to comment
Share on other sites
liad Newbie

liad

Posted
  • Author
Posted

Not all the time.  What if you make someone a Admin and then they start doing malicious stuff.  Wouldn't you at least want the option to stop them?

 

1. You've got a point. :)

So the Level check stays a DB check in every page...

Do I need to do something special DB-wise for a large-scale website? Something special I need to take in consideration?

 

2. Still waiting for a little help about 9three code...

Link to comment
Share on other sites
liad Newbie

liad

Posted
  • Author
Posted

I use user agent as part of my session apart from the username/password/etc to have extra security:

 

public function check_user()
{
	session_start();
	session_regenerate_id();
	if(session_regenerate_id() != $_SERVER['HTTP_USER_AGENT'])
	{
		$_SESSION = array();
		session_unset();
		session_destroy();
		header('index.php');
	}
}

 

No need to query the DB thus making your application faster.

 

I'm not sure I understood what you did here...:S

 

 

Can u explain what that function does?

Link to comment
Share on other sites
hobeau Newbie

hobeau

Posted
Posted

9three I'm not exactly sure what you're doing in your code with the 'if(session_regenerate_id() != $_SERVER['HTTP_USER_AGENT'])'. 'session_regenerate_id()' returns a boolean value of true if the session id was successfully generated and false if it wasn't. $_SERVER['HTTP_USER_AGENT'] returns a string of client data from the browser including the browser version, operating system and more. These two functions will NEVER be equal and thus will always completely destroy the session.

 

liad, you may want to check out this article I wrote on sessions http://www.solutionbot.com/2008/12/27/secure-session-management/. 9three is doing some things right, such as regenerating the session id to guard against session fixation (http://en.wikipedia.org/wiki/Session_fixation) and he is taking all three necessary steps to completely destroy the session but there is something wrong with the 'if' statement.

 

The session class I wrote about starts a secure session that hashes all kinds of data from the client such as client info such as browser version, ip address, operating system info and more. If this stays the same throughout all the pages you know that it's the same person. If not, destroy the session using the session::destroy() function and this will ensure session security across the board. Another thing this class helps with is checking the referring page is on the same domain, and it automatically regenerates the session ID so that it is very difficult to hack. Definitely read up on session fixation as it is an ignored subject and is very very important. Hope this helps!!!

Link to comment
Share on other sites
liad Newbie

liad

Posted
  • Author
Posted

Thanks alot for your profound answer...

 

I believe that 9three's if-statement was suppose to be something like:

 

if($_SESSION['HTTP_USER_AGENT']!=$_SERVER['HTTP_USER_AGENT'])

 

maybe?

 

and another thing, why did he used

 

$_SESSION = array();

 

before trashing the sessions?

Link to comment
Share on other sites
DarkSuperHero Newbie

DarkSuperHero

Posted
Posted

nice arguments for checking user credentials on every page, maybe you could implement a conditional credential check....maybe on pages where the user may edit and delete any entries you might want to double check his credentials...not really necessary on every single page IMO, each to his own...  ::)

Link to comment
Share on other sites
hobeau Newbie

hobeau

Posted
Posted

Actually all you have to do is simply not include the session::check() on the page. You still must include the session_start() at the top of the page to continue the session. It's all about what pages you need to be validated and which you do not need validated. So if you have a user logged in they should have access only to certain pages, so on those pages you would include the session::check() at the top of the page, if not, then simply omit this.

Link to comment
Share on other sites
liad Newbie

liad

Posted
  • Author
Posted

Thanks to u all...:)

 

1. another question, should I use the new-id-regeneration-function at my regular authentication process?

 

2. and about preventing an injection, would this do for every registration-form input?: [and should I use it before I validate the input himself or only use it after I've checked it and right before I put it in the DB?]

 

 

function sqlQuote( $value )
{
    if( get_magic_quotes_gpc() )
    {
          $value = stripslashes( $value );
    }
   
          $value = mysql_real_escape_string( $value );

    return $value;
}

 

 

3. Any other tips&tricks for special checks or helpful ideas regarding user authentication and security?

 

 

 

 

Link to comment
Share on other sites
hobeau Newbie

hobeau

Posted
Posted

Hi Liad,

 

Sorry I've been on vacation for a few days. Rule #1 when it comes to security. 'Anything that comes from the client shall not be trusted'. That is gospel truth. Every single input that is accepted on the server end can be spoofed information on the client end. There are a TON of free programs that will stop http requests before they are sent from your browser and allow you to manipulate them in any way you like. So any variable that comes from a client ($_GET or $_POST) should be both escaped and sanitized if possible. For instance; Say we have a form that has a first name, last name, email, phone, address, city, state and zip. Each one of these should be escaped using the mysql_real_escape_string as each one of these could be spoofed information from the client end and could potentially be a sql injection attack. Second, almost all of this data can be sanitized. For instance. The first name and last name should have only letters. No numbers or spaces or characters. Also, you can check to make sure that the email address follows the email format (myname@domain.com). Also, you can do the same with zip code and phone number as well. Address is alittle more difficult to sanatize as it could be different, but all the other inputs should match up with certain patterns. You can check all of these with regular expressions (you can search through a bunch of them at http://regexlib.com/Search.aspx) using preg_match() function.

Link to comment
Share on other sites
9three Regular Member

9three

Posted
Posted

9three I'm not exactly sure what you're doing in your code with the 'if(session_regenerate_id() != $_SERVER['HTTP_USER_AGENT'])'. 'session_regenerate_id()' returns a boolean value of true if the session id was successfully generated and false if it wasn't. $_SERVER['HTTP_USER_AGENT'] returns a string of client data from the browser including the browser version, operating system and more. These two functions will NEVER be equal and thus will always completely destroy the session.

 

liad, you may want to check out this article I wrote on sessions http://www.solutionbot.com/2008/12/27/secure-session-management/. 9three is doing some things right, such as regenerating the session id to guard against session fixation (http://en.wikipedia.org/wiki/Session_fixation) and he is taking all three necessary steps to completely destroy the session but there is something wrong with the 'if' statement.

 

The session class I wrote about starts a secure session that hashes all kinds of data from the client such as client info such as browser version, ip address, operating system info and more. If this stays the same throughout all the pages you know that it's the same person. If not, destroy the session using the session::destroy() function and this will ensure session security across the board. Another thing this class helps with is checking the referring page is on the same domain, and it automatically regenerates the session ID so that it is very difficult to hack. Definitely read up on session fixation as it is an ignored subject and is very very important. Hope this helps!!!

 

Sorry I showed you the wrong one, I was still figuring out how I wanted to handle my sessions. Here is my updated one:

 

  public function check_user()
  {
    session_start();
    session_regenerate_id();
    $_SESSION['user_agent'] = $_SERVER['HTTP_USER_AGENT'];
    if($_SESSION['user_agent'] != $_SERVER['HTTP_USER_AGENT'])
    {
      $_SESSION = array();
      session_unset();
      session_destroy();
      header('index.php');
    }
  }

Link to comment
Share on other sites
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.