Best login method - discussion

[Goose]

I am not really looking for a definitive answer here, but just people's opinions.

 

For the longest time I have written PHP login systems that use cookies to store the login "session". Now, I am wondering if this isn't the best method. What do you guys think? What methods do you use and why?

 

I am assuming people are using some combination of cookies, sessions and/or MySQL. My criteria for login is most importantly, security followed by utility (i.e. can keep a user logged in for longer than their browser is open, or can store other account information).

 

Thanks ahead of time.

 

P.S. If your best choice uses some special implementation I would love to know more details about that.

[landavia]

i was thinking to add another sesion.

u see..

u create name, password sesion.. include the time to expire.

try put another sesion.. i would say todayWord

 

if todayWord not match to todayWord (on database)... fail the script.. whole script

 

 

[Goose]

i was thinking to add another sesion.

u see..

u create name, password sesion.. include the time to expire.

try put another sesion.. i would say todayWord

 

if todayWord not match to todayWord (on database)... fail the script.. whole script

 

 

 

Not sure I completely follow what you are saying here, but thanks for your input.

 

Would love more input on the subject.

[laffin]

Been using sessions for awhile now.

but ya shud read information on session fixation (security)

as the session id is stored as a cookie, it is possible to steal/make id's.

 

So to make it more secure

1) use session_regenerate_id() so cookie id changes

2) do not rely on the session info, use a hash of other various info provided, in my routines I generally use IP & Browser agent info (md5 these two). So if either changed the session becomes invalid.

3) Change The Session life span, (I give 15 minute lifespan for a session cookie).

 

 

I see a lot of folks, who dont understand #2. and see something like

if($_SESSION['loggedin'])

 

when a little more thought ya can secure it with

if($_SESSION['hash'] == md5($ip.$_SERVER["HTTP_USER_AGENT"]))

as I said I use ip & browser agent info

 

Anyways

good luck

 

[Goose]

Been using sessions for awhile now.

but ya shud read information on session fixation (security)

as the session id is stored as a cookie, it is possible to steal/make id's.

 

So to make it more secure

1) use session_regenerate_id() so cookie id changes

2) do not rely on the session info, use a hash of other various info provided, in my routines I generally use IP & Browser agent info (md5 these two). So if either changed the session becomes invalid.

3) Change The Session life span, (I give 15 minute lifespan for a session cookie).

 

 

I see a lot of folks, who dont understand #2. and see something like

if($_SESSION['loggedin'])

 

when a little more thought ya can secure it with

if($_SESSION['hash'] == md5($ip.$_SERVER["HTTP_USER_AGENT"]))

as I said I use ip & browser agent info

 

Anyways

good luck

 

 

Great information. I hope some more people post their thoughts.

[br0ken]

It should be noted that using the Browser and IP address as a secure login method can be insecure.

 

Both of these items can be faked, but also, some people use shared IP's (AOL users) which means they would not be able to access your system.

 

Using session_regenerate_id() often is a good practise. If someone does get hold of a users session id, by the time they use it, it would have changed and become invalid.

 

Using SSL, especially when login information is being sent is vital to any secure system.

[Goose]

It should be noted that using the Browser and IP address as a secure login method can be insecure.

 

Both of these items can be faked, but also, some people use shared IP's (AOL users) which means they would not be able to access your system.

 

Using session_regenerate_id() often is a good practise. If someone does get hold of a users session id, by the time they use it, it would have changed and become invalid.

 

Using SSL, especially when login information is being sent is vital to any secure system.

 

Cool, well that is all great information. I will try using sessions instead. If anyone can point me to a good tutorial (I haven't looked yet, but will do the regulars (check php freaks and google)), that would be awesome.

 

Thanks again all.

[br0ken]

I just did a quick Google search and found these tutorials that look promising:

 

http://uk.php.net/session/

http://www.tizag.com/phpT/phpsessions.php

http://www.phpf1.com/tutorial/php-sessions.html

http://www.codewalkers.com/c/a/Miscellaneous/Using-Sessions-in-PHP/

[kickstart]

Hi

 

In addition to the above, one thing I have done is stored the session id in a column in the users table. I then have a column of when they last did anything, and update this whenever they invoke a script, but only where the time is later than now minus X minutes. If the number of records updated is not 1 then just redirect them to the login page.

 

Advantage of this is that you can easily boot people off the system by setting the last time they touched anything to null.

 

All the best

 

Keith

[jackpf]

Tbh, I find cookies better. They last longer, and I find them to be very secure, if you use them logically.

 

For example, for my login I set two cookies, the user's username, and their ID as an encrypted string.

 

Then, every page that requires them to be logged in, a check occurs which makes sure their username and ID match the database.

 

I haven't been hacked at all, I find it to be pretty secure

[adam291086]

Problem with cookies i find is that users can turn them off and not except any. Therefore no cookies can be set. So maybe a combination of sessions and cookies.

 

I personally use sessions and make sure any communications between the user and server is encrypted.

[jackpf]

Yeah I suppose...but I have a "friendly" message that's displayed if people try to login and don't accept cookies.

 

Tbh, they can easily allow an acception to sites they trust.

 

Idk, you could use sessions and have the session ID in the url, but that's so impractical and untidy...

[adam291086]

This is very true,

 

Any method is fine as long as you secure it. I encrypt a lot of stuff and clients are willing to sacrifice a little speed for this. Because if their info is stolen no one can read it.

 

 

[KevinM1]

Remember: sessions use cookies to maintain state unless you specifically tell them not to.

[Boo-urns]

What I've been doing lately for logins is I have a separate table for logged in users (id (auto increment) | uniqueID | userID ) and create a unique id for them. Salt + username (or anything related to the user) and md5, sha1, strrev, uniqid any of them or a combination just to mix it up from a straight up md5. Then in their session, I create a variable for a current timestamp, and update the timestamp if they are active throughout the site. If the timestamp is over some time (5, 10 mins...) I check that with the cookie / database to make sure it is the same user.

 

What do you guys think about that method? It is definitely a lot more secure then i used to use. Any suggestions about the method i use?

[jackpf]

I think hashing data multiple times is a good idea; makes it near impossible for people to guess your encryption algorythm.

 

However, does this cause a noticeable difference in page load times at all?

[Boo-urns]

I

I think hashing data multiple times is a good idea; makes it near impossible for people to guess your encryption algorythm.

 

However, does this cause a noticeable difference in page load times at all?

 

I really don't notice a difference in the page load times. Granted I'm starting the hash on login, and when i check the login after x minutes. I'm not checking it on every page refresh.  With adding a salt to the hash, it is definitely near impossible to figure out the encryption method.