User System

[Perad]

Hey,

 

Can anyone tell me what are must have security features in a user system? Stuff like salting passwords, hash strength, session handling etc.

 

Thanks

[kratsg]

This is possibly the best advice I can give:

http://fishbowl.pastiche.org/2004/01/19/persistent_login_cookie_best_practice/

 

One of the main problems is that you want a user to be able to be "remembered" upon repeated visits yet you need a secure way to identify them via cookie. Anyone can use a cookie grabber, but the ideas listed in this (similar to using session_regenerate_id() on your sessions for making sure your user stays logged on during his active visit to the site).

 

session_regenerate_id:

http://us2.php.net/manual/en/function.session-regenerate-id.php

 

For best practice, when you use sessions to check if a user is logged on, you're going to want to regenerate the ids (so that nobody can try and grab the cookie that stores the session id) on each page load.

 

The best method for salting passwords is to generate random strings that are stored in the database for each user (effectively giving each user a unique salt making it quite impossible for a hacker to use brute force to guess those passwords, given that they are hashed using sha1() or md5()....) I tend to lean towards md5() as I deal with it more often than sha1() but either hash scheme is fine IMO.

 

You're also going to want to register IP addresses somehow in a database. IE: register the IP they registered the account with and register the IP of their last log in. This way, you can determine common IPs across multiple accounts that got hacked (so that you can block that specific IP). This doesn't work against using proxies though (that's the one workaround).