doubledee Posted December 16, 2011 Share Posted December 16, 2011 What kinds of things can I do to make Logging-In and being Logged-In *secure*?? I get the whole form validation thingy, but what about from the standpoint of how/where I store data in my database and how I keep track of who is logged in and where they can go, and so on? Thanks, Debbie Quote Link to comment Share on other sites More sharing options...
coupe-r Posted December 16, 2011 Share Posted December 16, 2011 Well, for starters... -- Hash your passwords as well as using a very good salt. -- On successful login, create a sessions record in a sessions table as well as a $_SESSION variable that passes around to your site. Each page can check to make sure the same person is logged in based on the fields in your variable / database, such as IP address, Web Browser, Session ID, etc. If anything differs, immediately log off. IF they get logged of for this reason, you can insert a record in an error_log table for you to track. There is a ton of stuff out there. Quote Link to comment Share on other sites More sharing options...
doubledee Posted December 16, 2011 Author Share Posted December 16, 2011 Well, for starters... -- Hash your passwords as well as using a very good salt. -- On successful login, create a sessions record in a sessions table as well as a $_SESSION variable that passes around to your site. Each page can check to make sure the same person is logged in based on the fields in your variable / database, such as IP address, Web Browser, Session ID, etc. If anything differs, immediately log off. IF they get logged of for this reason, you can insert a record in an error_log table for you to track. There is a ton of stuff out there. Sounds complicated. First, though, is it insecure to just use a SESSION variable to test if someone is logged in? Debbie Quote Link to comment Share on other sites More sharing options...
coupe-r Posted December 16, 2011 Share Posted December 16, 2011 Just a SESSION variable, kinda. Sessions can be hijacked. If you have a session variable and then check it against your DB on each page, it is a lot more secure, especially if you check it against IP address and web browser. Quote Link to comment Share on other sites More sharing options...
doubledee Posted December 16, 2011 Author Share Posted December 16, 2011 Just a SESSION variable, kinda. Sessions can be hijacked. If you have a session variable and then check it against your DB on each page, it is a lot more secure, especially if you check it against IP address and web browser. 1.) Isn't it complicated to check a Session against a database record? 2.) Doesn't having to query the database *every* time a use surfs to a new page require an ENORMOUS amount of resources?! 3.) What if someone's IP Address changes? 4.) Can you tell with absolute certainty what the "User Agent" really is? 5.) Assuming this is a path I decide to go down, could you help me with the code? I am re-reading my old code for Logging In and can maybe post it here in a while. Haven't coded PHP since August so my brain has cobwebs in it?! Thanks, Debbie Quote Link to comment Share on other sites More sharing options...
coupe-r Posted December 16, 2011 Share Posted December 16, 2011 1. No 2. No. Depending on the application, you could see a ton of queries per page. I have 10-15 queries per page with what I work on. 3.I just used IP as an example. But more than likely wouldn't change while they are logged in. 4.Sure, it will tell you what browser they use. Each string is different for each browser. 5.We cannot do the code for you, but will help with the code you provide. Quote Link to comment Share on other sites More sharing options...
doubledee Posted December 16, 2011 Author Share Posted December 16, 2011 1. No 2. No. Depending on the application, you could see a ton of queries per page. I have 10-15 queries per page with what I work on. 3. I just used IP as an example. But more than likely wouldn't change while they are logged in. 4. Sure, it will tell you what browser they use. Each string is different for each browser. 5. We cannot do the code for you, but will help with the code you provide. Can you post some sample code of what you do or provide some links? I have no clue where to begin. I can post the code I have now, but it only uses Sessions. Thanks, Debbie Quote Link to comment Share on other sites More sharing options...
xyph Posted December 16, 2011 Share Posted December 16, 2011 Here we go again! BTW - Read the article in my signature. It sums most of it up. BTW#2 - Use the class they have created. There's a lot to learn before you can begin to code 'secure' HTTP apps Quote Link to comment Share on other sites More sharing options...
doubledee Posted December 16, 2011 Author Share Posted December 16, 2011 Here we go again! Where are we going?? Debbie Quote Link to comment Share on other sites More sharing options...
coupe-r Posted December 16, 2011 Share Posted December 16, 2011 Wow.... 590 posts and you havn't picked up this stuff yet.... Quote Link to comment Share on other sites More sharing options...
xyph Posted December 16, 2011 Share Posted December 16, 2011 Wow.... 590 posts and you havn't picked up this stuff yet.... Picked up this stuff yet? HTTP security is an extremely complex topic. Most Gurus/Admins here rely on 3rd party methods or classes designed by people with a far deeper understanding of this than us. Beyond that, security can go far deeper than simply locking-down your user-verification methods. There are many ways a hole in an unrelated section of code could lead to compromises of user security. Quote Link to comment Share on other sites More sharing options...
doubledee Posted December 16, 2011 Author Share Posted December 16, 2011 Wow.... 590 posts and you havn't picked up this stuff yet.... Picked up this stuff yet? HTTP security is an extremely complex topic. Most Gurus/Admins here rely on 3rd party methods or classes designed by people with a far deeper understanding of this than us. There is never a shortage of sarcasm online... Beyond that, security can go far deeper than simply locking-down your user-verification methods. There are many ways a hole in an unrelated section of code could lead to compromises of user security. Can you recommend some tutorials or provide some starting code that would help me store my session data in the database? (Assuming you agree with that approach?!) Thanks, Debbie Quote Link to comment Share on other sites More sharing options...
coupe-r Posted December 16, 2011 Share Posted December 16, 2011 Of course I was only kidding. I can post some when I get home from work... Quote Link to comment Share on other sites More sharing options...
xyph Posted December 16, 2011 Share Posted December 16, 2011 Can you recommend some tutorials or provide some starting code that would help me store my session data in the database? (Assuming you agree with that approach?!) Thanks, Debbie There's no _real_ added security storing a session in a database. If you want to create a database-driven session handler, that's a different story, and there's tons of pre-built classes you can use for that. Again, for user security, please read the article in my signature. Quote Link to comment Share on other sites More sharing options...
doubledee Posted December 16, 2011 Author Share Posted December 16, 2011 Of course I was only kidding. I can post some when I get home from work... FWIW, 590 posts is nothing. Secondly, I am an on-again off-again PHP'er due to life situations, so when I do learn how to do something I end up forgetting it. Last time I did Authentication was in August. Yes, some guidance would be appreciated. Debbie Quote Link to comment Share on other sites More sharing options...
MasterACE14 Posted December 17, 2011 Share Posted December 17, 2011 Session Security Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.