proper security measures?

[thefortrees]

Hi all -

 

The application I am developing requires user authentication. Currently, for a user to login, I run an authentication function that verifies username and password against values in the database. The password is then is converted into a password digest from the md5 hash algorithm. I set several session variables upon authentication - user type (ie - admin), and login username.

 

Is it good practice to query the database and check for the proper user type and username values at every page that needs to be protected by the authentication framework? Should I introduce any other / other types of session variables to provide better security?

 

I have read a bit about recording the login IP address and storing that in a session variable, but that does not seem like a good idea to me, as there are several issues with IP addresses (ie - AOL users having changing IP addresses for each request??). Is this true? Any other suggestions?

 

Thanks!

[pocobueno1388]

What you are doing right now should be secure enough. Just check to see if those sessions exist on each page, and if they don't, don't allow them to see them [but it looks like you already have that done].

 

Yes, AOL users IP addresses change often. I'm not exactly sure how much, I don't think it is EVERY request though. Maybe on each restart of their browser? I'm not positive.

[cooldude832]

IP tracking ins't good because IP changes/are shared.  Also if you set sessions once you are good, they are stored server side with the end client have a sessionID that connects them to a given session array.  You don't need to keep checking them, just check a couple things maybe like if $_SESSION['logged'] == "yes" && ISSET($_SESSION['username']) && ISSET($_SESSION['securitylevel']) Otherwise you should be good.  Re doing the sessions only creates more chances for flaws/and odds are it offers 0 bonus security

[deadonarrival]

Personally I like to check admin level on each page. The cost of a single SQL request is, in my eyes, well worth the extra security.

 

I also like the function session_regenerate_id() - try looking it up in the manual.

 

Another thing to do is store the IP and user agent and/or operating system in the session. If they change browsers, destroy the session. It's not a catch all, but every little helps

[Glyde]

The benefit of checking and refreshing sessions on each page is so that you have the ability to change a users permission and have them take affect automatically.  Without this added feature, the client would have to logout and log back in to see their new permissions.  As previously stated, it adds 0 security, but it surely doesn't take away security...and...it's an extra feature if you want it.

[cooldude832]

Adding is not always good.  If it has no bonus its worthless to me.  Session's can't be changed my anyone except by the server and can only be used by the client (one client) Rechecking isn't going to do anything.  And if you want to update security levels on the fly then the processor for the security level change should update the session.  I do like the checking computer stats idea which is a decent idea, but repatching the sessions is 100% pointless extra server load and load time.

[Glyde]

Adding is not always good.  If it has no bonus its worthless to me.  Session's can't be changed my anyone except by the server and can only be used by the client (one client) Rechecking isn't going to do anything.  And if you want to update security levels on the fly then the processor for the security level change should update the session.  I do like the checking computer stats idea which is a decent idea, but repatching the sessions is 100% pointless extra server load and load time.

Just because it's not right for you doesn't mean it's not right for anyone.  Plus, we aren't here to state what's right for us...we're here trying to say what could help him.  Now, I see where you're coming from, re-assigning sessions is quite useless; however, depending on what sort of system he may develop, it could be a very good thing.  In a system that is run by permissions, it's always smart to repopulate the user's session data on a page load, because that will allow for new permissions to take immediate affect, as stated below...especially during development.