PHP Account Security

[clanstyles]

Hey, I'm trying to create the safest account system possible.

I was wondering what is the best way.

 

When the "Remeber Me" box is checked I was thinking something like a cookie to encrypt there username but that can be cracked. And if the last IP == YourTIP && username == username then have it let them bbe loged in.

 

if "Remeber Me" is not checked, then have it just use php sessions.

 

Are those safe?

 

Thanks

[MmmVomit]

To make it safer, just don't have a "Remember me" option.

[clanstyles]

but thats just anoying that you have to re-login.

[MmmVomit]

Yes, you often have to make trade-offs between security and usability.  The "safest account system possible" wouldn't have an option to remember people who have logged in.

[clanstyles]

Yes I am aware of that and HOW you can get around this. But what is the safest method to using cookies and doing this?

 

I was thinking a combination of IP Checking, Time logged in. But I don't know.

[clanstyles]

Bump

[MadTechie]

OK an idea of the top of myhead..

 

create an new table, with this when someone hit remember me, it create a new records, and give the user 2 cookies, 1 UID, 2 HASH, if the UID is used with the wrong HASH 5 times its deleted, other than that its kept for X day (or always), Now.. the table also stores a UserHASH = MD5(username.password) (the hashed password) and the userID, remember me is used (via login thing) it uses the cookie to get the userID it then check the MD5(username.password) (the hashed password) to the stored UserHASH, if this is correct then continue else message "please relogin as your details have changed",

 

i think that quite nice:)

[clanstyles]

Yeah thats not bad. Should I do things like add to taht table a row called ip.

If($IP=="THEREIP")

{

Keep going..

}

[MadTechie]

na, many people have dynamic IP's,