Boo-urns Posted January 20, 2009 Share Posted January 20, 2009 I've done user logins different ways in the past and since learning more PHP I realize some are not the best way. What I was thinking is to create a session/cookie variable for a session_id() Then regenerate it every so often. I was also thinking about storing IP but what if the user is using a proxy? What do you suggest? Thanks -Corey Quote Link to comment https://forums.phpfreaks.com/topic/141612-solved-best-practices-for-user-authentication/ Share on other sites More sharing options...
premiso Posted January 20, 2009 Share Posted January 20, 2009 Using session_start should automatically set a cookie with session id. No need to regenerate id's. The IP you can store it, but not good for authentication due to the ease of spoofing them. Quote Link to comment https://forums.phpfreaks.com/topic/141612-solved-best-practices-for-user-authentication/#findComment-741215 Share on other sites More sharing options...
limitphp Posted January 20, 2009 Share Posted January 20, 2009 I've done user logins different ways in the past and since learning more PHP I realize some are not the best way. What I was thinking is to create a session/cookie variable for a session_id() Then regenerate it every so often. I was also thinking about storing IP but what if the user is using a proxy? What do you suggest? Thanks -Corey It depends if you want the user to be able to check a "remember me" box. Quote Link to comment https://forums.phpfreaks.com/topic/141612-solved-best-practices-for-user-authentication/#findComment-741219 Share on other sites More sharing options...
Boo-urns Posted January 20, 2009 Author Share Posted January 20, 2009 Ahh I wasn't aware you can spoof IPs I know that you can possibly get the session_id which is session fixation. If I wanted a remember me box how should I set it up? Quote Link to comment https://forums.phpfreaks.com/topic/141612-solved-best-practices-for-user-authentication/#findComment-741221 Share on other sites More sharing options...
cooldude832 Posted January 20, 2009 Share Posted January 20, 2009 This is how I've always done use auth: If they do not have the right cookie set Login with pw/username If a valid combo set a session with the login time, last action time and the UserID # If the remember me box is checked create a cookie with the same info in it + an auth key that is then stored in their MySQL UserRow If cookie is set: Set the session after verifying the UserId Auth Key combo is valid Never had an issue. It doesn't need to be complicated simple is better, just remember if you do not auto start sessions site wide session_start is needed. Quote Link to comment https://forums.phpfreaks.com/topic/141612-solved-best-practices-for-user-authentication/#findComment-741223 Share on other sites More sharing options...
Boo-urns Posted January 20, 2009 Author Share Posted January 20, 2009 For your authentication did you change the session timeout variable on your .ini file? Or is it just going to timeout after X? Or did you set up a cookie with _____? Thanks -Corey Quote Link to comment https://forums.phpfreaks.com/topic/141612-solved-best-practices-for-user-authentication/#findComment-741232 Share on other sites More sharing options...
trq Posted January 20, 2009 Share Posted January 20, 2009 What I was thinking is to create a session/cookie variable for a session_id() Then regenerate it every so often. session_regenerate_id should be called anytime a users privileges escalate. If a valid combo set a session with the login time, last action time and the UserID # Id never store a userID or name in a cookie. You should have a field in your database that stores a unique identifier (I usually use an md5'd user name + salt + rand) that doesn't give the obvious appearence of being related to a username. You can then store this within your cookie. Also, cookies should only be valid for one login, once they have been used they should be regenerated. Quote Link to comment https://forums.phpfreaks.com/topic/141612-solved-best-practices-for-user-authentication/#findComment-741236 Share on other sites More sharing options...
limitphp Posted January 20, 2009 Share Posted January 20, 2009 Ahh I wasn't aware you can spoof IPs I know that you can possibly get the session_id which is session fixation. If I wanted a remember me box how should I set it up? If you want a remember me box, this is what you do: don't use sessions, because they only last for the session.....you can make them last longer, but to me, it is very difficult to set that up (at least for me). You make a table where you'll store a tempID, userID, and an expiration date. when the user logs in check to see if they have a cookie stored, if not (first time logging in) check their username and password against the user/pass in the user table (standard stuff), THEN you shoot a cookie to them that contains a tempID. You then make an entry into that table and store the tempID along with their username and the expiration date. (if they check remember me set it to whatever you want...a month, etc....if they don't, set it to 30 minutes, etc from now). Then, everytime they log in, you check if they have the cookie set. If they do, you take the tempID in the cookie and match it against the tempID in the table and pull their userID and log them in. For the cookie, if they check remember me, make the cookie last however long you want, 30 days, a year, etc. If they don't check it, set the cookie to expire at 0 (this makes the cookie delete after their session ends. The only problem with this system is that you have to delete all the entries in the table where expiration date has expired every so often. Quote Link to comment https://forums.phpfreaks.com/topic/141612-solved-best-practices-for-user-authentication/#findComment-741239 Share on other sites More sharing options...
trq Posted January 20, 2009 Share Posted January 20, 2009 For the cookie, if they check remember me, make the cookie last however long you want, 30 days, a year, etc. If they don't check it, set the cookie to expire at 0 (this makes the cookie delete after their session ends. It is exactly these types of cookies that should be deleted and regenerated after every login. Quote Link to comment https://forums.phpfreaks.com/topic/141612-solved-best-practices-for-user-authentication/#findComment-741242 Share on other sites More sharing options...
Boo-urns Posted January 20, 2009 Author Share Posted January 20, 2009 Thanks for all the help! Definitely helped me organize everything in my head. Time to go write the script! Thanks again! -Corey Quote Link to comment https://forums.phpfreaks.com/topic/141612-solved-best-practices-for-user-authentication/#findComment-741246 Share on other sites More sharing options...
limitphp Posted January 20, 2009 Share Posted January 20, 2009 For the cookie, if they check remember me, make the cookie last however long you want, 30 days, a year, etc. If they don't check it, set the cookie to expire at 0 (this makes the cookie delete after their session ends. It is exactly these types of cookies that should be deleted and regenerated after every login. If they check "remember me" why would you delete the cookie? Quote Link to comment https://forums.phpfreaks.com/topic/141612-solved-best-practices-for-user-authentication/#findComment-741249 Share on other sites More sharing options...
cooldude832 Posted January 20, 2009 Share Posted January 20, 2009 Because a cookie that is left around too long could be dangerous. The idea is if they relogin else where that rotating auth key as suggested by me and upgraded by Thorpe changes so that cookie goes bad. I really don't like to stay logged into a site for 30 days, but if I login 5 times daily its nice to not have to put in my credentials. Its not as much a remember me as a remember me for 5 days or until I login again. Quote Link to comment https://forums.phpfreaks.com/topic/141612-solved-best-practices-for-user-authentication/#findComment-741262 Share on other sites More sharing options...
limitphp Posted January 20, 2009 Share Posted January 20, 2009 Because a cookie that is left around too long could be dangerous. The idea is if they relogin else where that rotating auth key as suggested by me and upgraded by Thorpe changes so that cookie goes bad. I really don't like to stay logged into a site for 30 days, but if I login 5 times daily its nice to not have to put in my credentials. Its not as much a remember me as a remember me for 5 days or until I login again. So, are you saying, if they check "remember me", don't keep the tempID in the table for more than a day? But then, you can't have the "remember me" feature. Quote Link to comment https://forums.phpfreaks.com/topic/141612-solved-best-practices-for-user-authentication/#findComment-741264 Share on other sites More sharing options...
cooldude832 Posted January 20, 2009 Share Posted January 20, 2009 The remember me button simply adds a cookie with an Auth Key in it specific to that user. That key should expire when the account is logged in again (same computer or different) or after X days. The X days part is up to you if you have security issues with it being too long down the road make X smaller otherwise its up to you. Quote Link to comment https://forums.phpfreaks.com/topic/141612-solved-best-practices-for-user-authentication/#findComment-741269 Share on other sites More sharing options...
limitphp Posted January 20, 2009 Share Posted January 20, 2009 The remember me button simply adds a cookie with an Auth Key in it specific to that user. That key should expire when the account is logged in again (same computer or different) or after X days. The X days part is up to you if you have security issues with it being too long down the road make X smaller otherwise its up to you. by logged in again, do you mean, if they logout first? Quote Link to comment https://forums.phpfreaks.com/topic/141612-solved-best-practices-for-user-authentication/#findComment-741290 Share on other sites More sharing options...
trq Posted January 20, 2009 Share Posted January 20, 2009 The idea is this. When a user comes to your site, you check to see if they have a valid cookie. If they do, you log them in using sessions, then remove the cookie and issue them a new one (storing a key in the cookie and updating the valid key in your database). The user can then browse around logged in via the session. Now, if they stop browsing your site or close there browser the session will die. Next time they enter the site you repeat the process above. This makes the cookie only valid for one login. Preventing people being able use the cookie to gain access if it is stolen. Quote Link to comment https://forums.phpfreaks.com/topic/141612-solved-best-practices-for-user-authentication/#findComment-741492 Share on other sites More sharing options...
limitphp Posted January 21, 2009 Share Posted January 21, 2009 The idea is this. When a user comes to your site, you check to see if they have a valid cookie. If they do, you log them in using sessions, then remove the cookie and issue them a new one (storing a key in the cookie and updating the valid key in your database). The user can then browse around logged in via the session. Now, if they stop browsing your site or close there browser the session will die. Next time they enter the site you repeat the process above. This makes the cookie only valid for one login. Preventing people being able use the cookie to gain access if it is stolen. I'm still a little confused. So, with your system, would you always check to see if they had a session on every page? And then if they didn't, would you check to see if they had a cookie set? And if they had a cookie set, you would delete it and create a new one and start a new session? Quote Link to comment https://forums.phpfreaks.com/topic/141612-solved-best-practices-for-user-authentication/#findComment-742254 Share on other sites More sharing options...
limitphp Posted January 21, 2009 Share Posted January 21, 2009 The idea is this. When a user comes to your site, you check to see if they have a valid cookie. If they do, you log them in using sessions, It might take me a little while to fully understand this, but I'll get it.... I think this is where I get a little confused... When you say "when a user comes to my site"...the way I'll know that is by checking if they have a session first, right? Also, one more question... when you say "The user can then browse around logged in via the session." Would that be accomplished by checking if they have a session on every page? thanks ... Quote Link to comment https://forums.phpfreaks.com/topic/141612-solved-best-practices-for-user-authentication/#findComment-742272 Share on other sites More sharing options...
premiso Posted January 21, 2009 Share Posted January 21, 2009 The idea is this. When a user comes to your site, you check to see if they have a valid cookie. If they do, you log them in using sessions, It might take me a little while to fully understand this, but I'll get it.... I think this is where I get a little confused... When you say "when a user comes to my site"...the way I'll know that is by checking if they have a session first, right? Right, basic login situation. If no session, check for a cookie. If no cookie show login form. If cookie validate it vs the DB then assign a session, unset the old cookie and set a new cookie with a new random value that is stored in your DB for the next time they come back. Set the session data then they are on their way. Quote Link to comment https://forums.phpfreaks.com/topic/141612-solved-best-practices-for-user-authentication/#findComment-742279 Share on other sites More sharing options...
limitphp Posted January 21, 2009 Share Posted January 21, 2009 Right, basic login situation. If no session, check for a cookie. If no cookie show login form. If cookie validate it vs the DB then assign a session, unset the old cookie and set a new cookie with a new random value that is stored in your DB for the next time they come back. Set the session data then they are on their way. "The user can then browse around logged in via the session." And then to accomplish this, you check for a session on every page (that uses user info), right? What would you store in the session? sorry for all the questions...I just realized I have to redo my login system and I want to make sure I get it right this time. Quote Link to comment https://forums.phpfreaks.com/topic/141612-solved-best-practices-for-user-authentication/#findComment-742290 Share on other sites More sharing options...
premiso Posted January 21, 2009 Share Posted January 21, 2009 Right, basic login situation. If no session, check for a cookie. If no cookie show login form. If cookie validate it vs the DB then assign a session, unset the old cookie and set a new cookie with a new random value that is stored in your DB for the next time they come back. Set the session data then they are on their way. "The user can then browse around logged in via the session." And then to accomplish this, you check for a session on every page (that uses user info), right? What would you store in the session? sorry for all the questions...I just realized I have to redo my login system and I want to make sure I get it right this time. I generally store basic info in the session, but once a user is logged in/authenticated I set a session variable called "loggedin" to true and I check this each page. Then if I say use their username each page I set that in session also their userid for queries etc. This way it saves some queries from needing to be ran. But that is me. Quote Link to comment https://forums.phpfreaks.com/topic/141612-solved-best-practices-for-user-authentication/#findComment-742294 Share on other sites More sharing options...
limitphp Posted January 21, 2009 Share Posted January 21, 2009 Right, basic login situation. If no session, check for a cookie. If no cookie show login form. If cookie validate it vs the DB then assign a session, unset the old cookie and set a new cookie with a new random value that is stored in your DB for the next time they come back. Set the session data then they are on their way. "The user can then browse around logged in via the session." And then to accomplish this, you check for a session on every page (that uses user info), right? What would you store in the session? sorry for all the questions...I just realized I have to redo my login system and I want to make sure I get it right this time. I generally store basic info in the session, but once a user is logged in/authenticated I set a session variable called "loggedin" to true and I check this each page. Then if I say use their username each page I set that in session also their userid for queries etc. This way it saves some queries from needing to be ran. But that is me. So, its safe to store userID, username in sessions? But each one will be an individual session variable. So, if I just want to see if they are logged in, I would do: if (isset($_SESSION['loggedin'])){ $userID = $_SESSION['userID']; $username = $_SESSION['username']; } Quote Link to comment https://forums.phpfreaks.com/topic/141612-solved-best-practices-for-user-authentication/#findComment-742302 Share on other sites More sharing options...
premiso Posted January 21, 2009 Share Posted January 21, 2009 Yep. Session files are stored on your server. Just don't store their password in it. But other misc data is fine to prevent having to re-query it each time. Quote Link to comment https://forums.phpfreaks.com/topic/141612-solved-best-practices-for-user-authentication/#findComment-742314 Share on other sites More sharing options...
limitphp Posted January 21, 2009 Share Posted January 21, 2009 thanks for all the info! Quote Link to comment https://forums.phpfreaks.com/topic/141612-solved-best-practices-for-user-authentication/#findComment-742330 Share on other sites More sharing options...
limitphp Posted January 21, 2009 Share Posted January 21, 2009 one quick thing.... if someone gets a cookie that is good, and uses it, then the system will set another good cookie on their computer.... so then they can keep getting good cookies that will allow them access to the user's info. Quote Link to comment https://forums.phpfreaks.com/topic/141612-solved-best-practices-for-user-authentication/#findComment-742479 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.