homepage Welcome to WebmasterWorld Guest from 54.197.215.146
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Become a Pro Member

Visit PubCon.com
Home / Forums Index / Code, Content, and Presentation / PHP Server Side Scripting
Forum Library, Charter, Moderators: coopster & jatar k

PHP Server Side Scripting Forum

    
Writing a secure login. So, sessions.
Karma




msg:3888426
 9:10 pm on Apr 8, 2009 (gmt 0)

So I'm developing a new site and this time around I'm trying to do things properly.

I've wrote the first part, which is register/email confirmation/forgot password and now I'm moving to the part where I check the username/password and if valid, sign them in.

I know how to store single variables in the session or create a cookie with a validuser=y/n, but I've no idea where I should be going from here (in a secure way).

Do I encrypt a variable in the session/cookie? This may be kind of obvious, but unless you've done it before - you don't know.

I've looked at a few tutorials on this but (as always) there are multiple ways of doing things.

Can someone break down what I need to do now in to smaller chunks please.

 

eeek




msg:3888673
 3:51 am on Apr 9, 2009 (gmt 0)

Do I encrypt a variable in the session/cookie?

Session variables aren't visible to the outside world so what would encrypting it do for you? You'd just have to decrypt it.

validuser=y/n

Might be simpler just to store the user id. If you have one, then the user is logged in.

acemaster




msg:3888690
 4:20 am on Apr 9, 2009 (gmt 0)

[evolt.org...]

The system itself is a little out of date, but the ideas behind it are still great. Like eeek said, session vars are not visible to the outside world, and thus can't be manipulated by anyone but the server(that I know of).

henry0




msg:3888946
 1:09 pm on Apr 9, 2009 (gmt 0)

A session may be stolen; you need to make sure that the expected session is the one that is passed
G for “stealing session” “securing session” etc…

Karma




msg:3889211
 6:45 pm on Apr 9, 2009 (gmt 0)

Thanks all :)

henry0 I did see people mentioning that, and I think that is where the confusion came from.

Can anyone give me some more info on what to do with the cookie. Do I store the visitors username/password (encrypted) in the cookie and check are authorised at the start of each session, then hold that variable "Y/N" in the session?

eeek




msg:3889247
 7:18 pm on Apr 9, 2009 (gmt 0)

A session may be stolen

That's a different issue. If it's a big concern, you need to use SSL.

Can anyone give me some more info on what to do with the cookie

Use PHP's sessions feature and don't worry about cookies.

henry0




msg:3889395
 9:50 pm on Apr 9, 2009 (gmt 0)

in such a case SSL might not be required
but the usual checking more than ever
for example don't even trust yourself!
say you pass a session with a content of AAA
the receiving page/pages ought to check if the session only contains uppercase alpha char

dublinmike




msg:3889813
 11:21 am on Apr 10, 2009 (gmt 0)

In the cookie / session (whatever you're using, maybe both), store the user id and a message digest of their password, e.g. md5($password). Then validate what the user presents against the database. Passwords shouldn't be stored in plain-text in your database.

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / Code, Content, and Presentation / PHP Server Side Scripting
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved