Welcome to WebmasterWorld Guest from 54.205.96.97

Forum Moderators: coopster & jatar k

Writing a secure login. So, sessions.

   
9:10 pm on Apr 8, 2009 (gmt 0)

5+ Year Member



So I'm developing a new site and this time around I'm trying to do things properly.

I've wrote the first part, which is register/email confirmation/forgot password and now I'm moving to the part where I check the username/password and if valid, sign them in.

I know how to store single variables in the session or create a cookie with a validuser=y/n, but I've no idea where I should be going from here (in a secure way).

Do I encrypt a variable in the session/cookie? This may be kind of obvious, but unless you've done it before - you don't know.

I've looked at a few tutorials on this but (as always) there are multiple ways of doing things.

Can someone break down what I need to do now in to smaller chunks please.

3:51 am on Apr 9, 2009 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



Do I encrypt a variable in the session/cookie?

Session variables aren't visible to the outside world so what would encrypting it do for you? You'd just have to decrypt it.

validuser=y/n

Might be simpler just to store the user id. If you have one, then the user is logged in.

4:20 am on Apr 9, 2009 (gmt 0)

5+ Year Member



[evolt.org...]

The system itself is a little out of date, but the ideas behind it are still great. Like eeek said, session vars are not visible to the outside world, and thus can't be manipulated by anyone but the server(that I know of).

1:09 pm on Apr 9, 2009 (gmt 0)

WebmasterWorld Senior Member henry0 is a WebmasterWorld Top Contributor of All Time 10+ Year Member



A session may be stolen; you need to make sure that the expected session is the one that is passed
G for “stealing session” “securing session” etc…
6:45 pm on Apr 9, 2009 (gmt 0)

5+ Year Member



Thanks all :)

henry0 I did see people mentioning that, and I think that is where the confusion came from.

Can anyone give me some more info on what to do with the cookie. Do I store the visitors username/password (encrypted) in the cookie and check are authorised at the start of each session, then hold that variable "Y/N" in the session?

7:18 pm on Apr 9, 2009 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



A session may be stolen

That's a different issue. If it's a big concern, you need to use SSL.

Can anyone give me some more info on what to do with the cookie

Use PHP's sessions feature and don't worry about cookies.

9:50 pm on Apr 9, 2009 (gmt 0)

WebmasterWorld Senior Member henry0 is a WebmasterWorld Top Contributor of All Time 10+ Year Member



in such a case SSL might not be required
but the usual checking more than ever
for example don't even trust yourself!
say you pass a session with a content of AAA
the receiving page/pages ought to check if the session only contains uppercase alpha char
11:21 am on Apr 10, 2009 (gmt 0)

10+ Year Member



In the cookie / session (whatever you're using, maybe both), store the user id and a message digest of their password, e.g. md5($password). Then validate what the user presents against the database. Passwords shouldn't be stored in plain-text in your database.
 

Featured Threads

My Threads

Hot Threads This Week

Hot Threads This Month