Jump to content

[SOLVED] Best practices for user authentication?


Boo-urns

Recommended Posts

I've done user logins different ways in the past and since learning more PHP I realize some are not the best way. What I was thinking is to create a session/cookie variable for a session_id() Then regenerate it every so often. I was also thinking about storing IP but what if the user is using a proxy?

 

What do you suggest?

 

Thanks

-Corey

Link to comment
Share on other sites

I've done user logins different ways in the past and since learning more PHP I realize some are not the best way. What I was thinking is to create a session/cookie variable for a session_id() Then regenerate it every so often. I was also thinking about storing IP but what if the user is using a proxy?

 

What do you suggest?

 

Thanks

-Corey

 

It depends if you want the user to be able to check a "remember me" box.

 

 

Link to comment
Share on other sites

This is how I've always done use auth:

 

If they do not have the right cookie set

Login with pw/username

If a valid combo set a session with the login time, last action time and the UserID #

If the remember me box is checked create a cookie with the same info in it + an auth key that is then stored in their MySQL  UserRow

 

If cookie is set:

Set the session after verifying the UserId Auth Key combo is valid

 

 

Never had an issue.

 

 

It doesn't need to be complicated simple is better, just remember if you do not auto start sessions site wide session_start is needed.

Link to comment
Share on other sites

What I was thinking is to create a session/cookie variable for a session_id() Then regenerate it every so often.

 

session_regenerate_id should be called anytime a users privileges escalate.

 

If a valid combo set a session with the login time, last action time and the UserID #

 

Id never store a userID or name in a cookie. You should have a field in your database that stores a unique identifier (I usually use an md5'd user name + salt + rand) that doesn't give the obvious appearence of being related to a username. You can then store this within your cookie.

 

Also, cookies should only be valid for one login, once they have been used they should be regenerated.

Link to comment
Share on other sites

Ahh I wasn't aware you can spoof IPs I know that you can possibly get the session_id which is session fixation.

 

If I wanted a remember me box how should I set it up?

 

If you want a remember me box, this is what you do:

 

don't use sessions, because they only last for the session.....you can make them last longer, but to me, it is very difficult to set that up (at least for me).

 

You make a table where you'll store a tempID, userID, and an expiration date.

 

when the user logs in check to see if they have a cookie stored, if not (first time logging in) check their username and password against the user/pass in the user table (standard stuff), THEN you shoot a cookie to them that contains a tempID.

 

You then make an entry into that table and store the tempID along with their username and the expiration date.  (if they check remember me set it to whatever you want...a month, etc....if they don't, set it to 30 minutes, etc from now).

 

Then, everytime they log in, you check if they have the cookie set.  If they do, you take the tempID in the cookie and match it against the tempID in the table and pull their userID and log them in.

 

For the cookie, if they check remember me, make the cookie last however long you want, 30 days, a year, etc.  If they don't check it, set the cookie to expire at 0 (this makes the cookie delete after their session ends.

 

The only problem with this system is that you have to delete all the entries in the table where expiration date has expired every so often.

Link to comment
Share on other sites

For the cookie, if they check remember me, make the cookie last however long you want, 30 days, a year, etc.  If they don't check it, set the cookie to expire at 0 (this makes the cookie delete after their session ends.

 

It is exactly these types of cookies that should be deleted and regenerated after every login.

Link to comment
Share on other sites

For the cookie, if they check remember me, make the cookie last however long you want, 30 days, a year, etc.  If they don't check it, set the cookie to expire at 0 (this makes the cookie delete after their session ends.

 

It is exactly these types of cookies that should be deleted and regenerated after every login.

 

If they check "remember me" why would you delete the cookie?

Link to comment
Share on other sites

Because a cookie that is left around too long could be dangerous.

 

The idea is if they relogin else where that rotating auth key as suggested by me and upgraded by Thorpe changes so that cookie goes bad.

 

I really don't like to stay logged into a site for 30 days, but if I login 5 times daily its nice to not have to put in my credentials.

 

 

 

 

Its not as much a remember me as a remember me for 5 days or until I login again.

Link to comment
Share on other sites

Because a cookie that is left around too long could be dangerous.

 

The idea is if they relogin else where that rotating auth key as suggested by me and upgraded by Thorpe changes so that cookie goes bad.

 

I really don't like to stay logged into a site for 30 days, but if I login 5 times daily its nice to not have to put in my credentials.

 

 

 

 

Its not as much a remember me as a remember me for 5 days or until I login again.

 

So, are you saying, if they check "remember me", don't keep the tempID in the table for more than a day?

 

But then, you can't have the "remember me" feature.

Link to comment
Share on other sites

The remember me button simply adds a cookie with an Auth Key in it specific to that user.  That key should expire when the account is logged in again (same computer or different) or after X days.

 

The X days part is up to you if you have security issues with it being too long down the road make X smaller otherwise its up to you. 

Link to comment
Share on other sites

The remember me button simply adds a cookie with an Auth Key in it specific to that user.  That key should expire when the account is logged in again (same computer or different) or after X days.

 

The X days part is up to you if you have security issues with it being too long down the road make X smaller otherwise its up to you. 

 

by logged in again, do you mean, if they logout first?

Link to comment
Share on other sites

The idea is this.

 

When a user comes to your site, you check to see if they have a valid cookie. If they do, you log them in using sessions, then remove the cookie and issue them a new one (storing a key in the cookie and updating the valid key in your database). The user can then browse around logged in via the session.

 

Now, if they stop browsing your site or close there browser the session will die. Next time they enter the site you repeat the process above.

 

This makes the cookie only valid for one login. Preventing people being able use the cookie to gain access if it is stolen.

Link to comment
Share on other sites

The idea is this.

 

When a user comes to your site, you check to see if they have a valid cookie. If they do, you log them in using sessions, then remove the cookie and issue them a new one (storing a key in the cookie and updating the valid key in your database). The user can then browse around logged in via the session.

 

Now, if they stop browsing your site or close there browser the session will die. Next time they enter the site you repeat the process above.

 

This makes the cookie only valid for one login. Preventing people being able use the cookie to gain access if it is stolen.

 

I'm still a little confused.

So, with your system, would you always check to see if they had a session on every page?

And then if they didn't, would you check to see if they had a cookie set?

And if they had a cookie set, you would delete it and create a new one and start a new session?

 

 

Link to comment
Share on other sites

The idea is this.

 

When a user comes to your site, you check to see if they have a valid cookie. If they do, you log them in using sessions,

 

It might take me a little while to fully understand this, but I'll get it....

 

I think this is where I get a little confused...

 

When you say "when a user comes to my site"...the way I'll know that is by checking if they have a session first, right?

 

Also, one more question...

when you say "The user can then browse around logged in via the session."

 

Would that be accomplished by checking if they have a session on every page?

 

thanks ...

 

Link to comment
Share on other sites

The idea is this.

 

When a user comes to your site, you check to see if they have a valid cookie. If they do, you log them in using sessions,

 

It might take me a little while to fully understand this, but I'll get it....

 

I think this is where I get a little confused...

 

When you say "when a user comes to my site"...the way I'll know that is by checking if they have a session first, right?

 

Right, basic login situation. If no session, check for a cookie. If no cookie show login form. If cookie validate it vs the DB then assign a session, unset the old cookie and set a new cookie with a new random value that is stored in your DB for the next time they come back. Set the session data then they are on their way.

Link to comment
Share on other sites

Right, basic login situation. If no session, check for a cookie. If no cookie show login form. If cookie validate it vs the DB then assign a session, unset the old cookie and set a new cookie with a new random value that is stored in your DB for the next time they come back. Set the session data then they are on their way.

 

"The user can then browse around logged in via the session."

 

And then to accomplish this, you check for a session on every page (that uses user info), right?

 

What would you store in the session?

 

sorry for all the questions...I just realized I have to redo my login system and I want to make sure I get it right this time.

Link to comment
Share on other sites

Right, basic login situation. If no session, check for a cookie. If no cookie show login form. If cookie validate it vs the DB then assign a session, unset the old cookie and set a new cookie with a new random value that is stored in your DB for the next time they come back. Set the session data then they are on their way.

 

"The user can then browse around logged in via the session."

 

And then to accomplish this, you check for a session on every page (that uses user info), right?

 

What would you store in the session?

 

sorry for all the questions...I just realized I have to redo my login system and I want to make sure I get it right this time.

 

I generally store basic info in the session, but once a user is logged in/authenticated I set a session variable called "loggedin" to true and I check this each page. Then if I say use their username each page I set that in session also their userid for queries etc. This way it saves some queries from needing to be ran.

 

But that is me.

Link to comment
Share on other sites

Right, basic login situation. If no session, check for a cookie. If no cookie show login form. If cookie validate it vs the DB then assign a session, unset the old cookie and set a new cookie with a new random value that is stored in your DB for the next time they come back. Set the session data then they are on their way.

 

"The user can then browse around logged in via the session."

 

And then to accomplish this, you check for a session on every page (that uses user info), right?

 

What would you store in the session?

 

sorry for all the questions...I just realized I have to redo my login system and I want to make sure I get it right this time.

 

I generally store basic info in the session, but once a user is logged in/authenticated I set a session variable called "loggedin" to true and I check this each page. Then if I say use their username each page I set that in session also their userid for queries etc. This way it saves some queries from needing to be ran.

 

But that is me.

 

So, its safe to store userID, username in sessions?

But each one will be an individual session variable.

 

So, if I just want to see if they are logged in, I would do:

if (isset($_SESSION['loggedin'])){

  $userID = $_SESSION['userID'];

  $username = $_SESSION['username'];

}

 

 

 

Link to comment
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.