homepage Welcome to WebmasterWorld Guest from 54.145.183.190
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Become a Pro Member

Home / Forums Index / Code, Content, and Presentation / PHP Server Side Scripting
Forum Library, Charter, Moderators: coopster & jatar k

PHP Server Side Scripting Forum

    
Writing a secure login. So, sessions.
Karma

5+ Year Member



 
Msg#: 3888424 posted 9:10 pm on Apr 8, 2009 (gmt 0)

So I'm developing a new site and this time around I'm trying to do things properly.

I've wrote the first part, which is register/email confirmation/forgot password and now I'm moving to the part where I check the username/password and if valid, sign them in.

I know how to store single variables in the session or create a cookie with a validuser=y/n, but I've no idea where I should be going from here (in a secure way).

Do I encrypt a variable in the session/cookie? This may be kind of obvious, but unless you've done it before - you don't know.

I've looked at a few tutorials on this but (as always) there are multiple ways of doing things.

Can someone break down what I need to do now in to smaller chunks please.

 

eeek

WebmasterWorld Senior Member 10+ Year Member



 
Msg#: 3888424 posted 3:51 am on Apr 9, 2009 (gmt 0)

Do I encrypt a variable in the session/cookie?

Session variables aren't visible to the outside world so what would encrypting it do for you? You'd just have to decrypt it.

validuser=y/n

Might be simpler just to store the user id. If you have one, then the user is logged in.

acemaster

5+ Year Member



 
Msg#: 3888424 posted 4:20 am on Apr 9, 2009 (gmt 0)

[evolt.org...]

The system itself is a little out of date, but the ideas behind it are still great. Like eeek said, session vars are not visible to the outside world, and thus can't be manipulated by anyone but the server(that I know of).

henry0

WebmasterWorld Senior Member henry0 us a WebmasterWorld Top Contributor of All Time 10+ Year Member



 
Msg#: 3888424 posted 1:09 pm on Apr 9, 2009 (gmt 0)

A session may be stolen; you need to make sure that the expected session is the one that is passed
G for “stealing session” “securing session” etc…

Karma

5+ Year Member



 
Msg#: 3888424 posted 6:45 pm on Apr 9, 2009 (gmt 0)

Thanks all :)

henry0 I did see people mentioning that, and I think that is where the confusion came from.

Can anyone give me some more info on what to do with the cookie. Do I store the visitors username/password (encrypted) in the cookie and check are authorised at the start of each session, then hold that variable "Y/N" in the session?

eeek

WebmasterWorld Senior Member 10+ Year Member



 
Msg#: 3888424 posted 7:18 pm on Apr 9, 2009 (gmt 0)

A session may be stolen

That's a different issue. If it's a big concern, you need to use SSL.

Can anyone give me some more info on what to do with the cookie

Use PHP's sessions feature and don't worry about cookies.

henry0

WebmasterWorld Senior Member henry0 us a WebmasterWorld Top Contributor of All Time 10+ Year Member



 
Msg#: 3888424 posted 9:50 pm on Apr 9, 2009 (gmt 0)

in such a case SSL might not be required
but the usual checking more than ever
for example don't even trust yourself!
say you pass a session with a content of AAA
the receiving page/pages ought to check if the session only contains uppercase alpha char

dublinmike

10+ Year Member



 
Msg#: 3888424 posted 11:21 am on Apr 10, 2009 (gmt 0)

In the cookie / session (whatever you're using, maybe both), store the user id and a message digest of their password, e.g. md5($password). Then validate what the user presents against the database. Passwords shouldn't be stored in plain-text in your database.

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / Code, Content, and Presentation / PHP Server Side Scripting
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved