PHP secure login form (yes this has been beaten with a stick)

[abazoskib]

Ok, so this is the first time I've had to write a seriously secure login form. I have the basics down, although I just want to make sure. Basically I will store the username, a username hash, password hash, ip of the user. How exactly would a session play into this? I do not want to use cookies. So the only thing I don't know is how to implement the session. I read you can store a session identifier in a database, but how is that accomplished?

[coupe-r]

If the user enters the correct account information, you can set a session var.

 

if user logged in

{

  $_SESSION['user_id'] = $user_id

}

 

Once you have a session var, you can move that around, page to page.

 

On each page, you will search for the Session var, if the user does not have one, they are not logged in.  Then, redirect to the login page.

 

make sense?

[abazoskib]

perfect! so if i set the session value with a unique key in the database, then assign an ip address to that session key, it becomes pretty secure, correct?

[roopurt18]

As far as the database is concerned you only need columns for username and a hashed password.

 

When the user logs in you set a $_SESSION var as coupe-r recommended.  On every page (or filter all requests through a single index.php using mod_rewrite), you check for that $_SESSION var;  if it's not set redirect to the login page.

 

The server and client negotiate the session by passing around a session identifier.  The client will store the session identifier in either a cookie or or as part of the URL; you really don't get a choice in the matter.  Neither is inherently more secure than the other since they're both controlled by the client.

 

What you read about using the database and the session together has to do with how the session saves it's data on the web server.  By default the sessions will be saved as files in a sessions directory.  What this means is someone who has sufficient privileges into the web server can browse and view these files.  If you want to save session data in another form of permanent storage, such as a database, you can overwrite PHP's default session handling capabilities.

 

But no matter how the server saves the session data (file, database, something else), the client and server still pass back and forth the session identifier, which will always be sent as part of the URL or as part of the request body (from the cookie).

[abazoskib]

Here's what I am thinking of doing.

 

1. Login form displayed if not logged in

2. when logging in, the form queries for username, password hash, and username hash (i use both for extra security, yes im paranoid, and it has to do with possible collisions)

3. if the user checks out in the db, i create a unique session key, which also gets stored in the db with a time_expired field and an ip_address

4. now on every page, i can validate the session key with the one that was generated at login time, and i can validate the users ip address to see if it matches.

 

this is for a small user system. very sensitive information, not much traffic. if theres anything else i can do to tighten it up, id love to hear it.

[roopurt18]

The username hash is completely useless; get rid of it.

 

i create a unique session key, which also gets stored in the db with a time_expired field and an ip_address

All you need to create a unique session key is:

session_start();
$key = session_id();

 

Since each user has only one session, each session id will automatically be unique.  You don't have to generate anything.

 

If the information is that sensitive, then I recommend:

1) using HTTPS

2) automatically logging users out after 5 to 15 minutes of inactivity

3) do not implement any sort of "remember me" feature