Kryptix Posted February 17, 2012 Share Posted February 17, 2012 Hi, For the last few years on my website I have been using FluxBB/PunBB's login script which basically just stores a cookie with their user ID and their password hash. This is fine except if the database got leaked anyone can login as anyone else providing they have their hash. I'm trying to be more secure about this now. Can someone explain a better process to me please? I was thinking of storing sessions with a unique hash in an 'active_sessions' table and providing they have a cookie with that hash they are granted that session? If someone uses a different IP to what that session was created with it's deleted? I'm new to all of this so any advice would be great. I want this to be secure. Quote Link to comment Share on other sites More sharing options...
kicken Posted February 17, 2012 Share Posted February 17, 2012 Are you wanting to know about how to create a "remember me" feature so that they don't have to enter a login each time they visit? If that is what your after then upon successful login you would generate a random hash value and save that in a cookie and in the DB for that user. Whenever they visit your site you compare those and if they match go ahead and log them in (possibly with limited access). You can optionally re-generate the hash on each visit so as to invalidate it frequently. You could also invalidate it after a set period of time so if say they don't visit within 2 weeks, they have to login again. A remember me feature is inherently insecure so there's limited things you can do to try and prevent it's abuse. Anyone that is sniffing a connection/stealing cookies is going to have a good chance of being able to use it to login as someone else who's cookies they stole. That is why places with sensitive information typically either don't offer this option, or require you to enter your password anyway to do anything related to viewing/changing your account details. Quote Link to comment Share on other sites More sharing options...
Kryptix Posted February 22, 2012 Author Share Posted February 22, 2012 So if I have the following columns in the users table: username password password_salt ident last_ip last_visit In the cookie if I store their ident hash and if their IP is different to the last_ip entry it simply logs everyone out by clearing the ident. When a user logs in successfully a new ident hash is generated and their IP is added as the last IP. If the user returns 2 weeks after the the last visit time it also logs everyone out by clearing the ident. Will that work OK? Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.