Welcome to WebmasterWorld Guest from 54.167.86.211

Forum Moderators: coopster & jatar k

Message Too Old, No Replies

Safe way for user login system

     
8:33 pm on Sep 20, 2013 (gmt 0)

Senior Member

WebmasterWorld Senior Member 5+ Year Member

joined:June 10, 2008
posts: 1130
votes: 0


I've never built a login system from the ground up so I just want to run my thought process by you guys and make sure I'm thinking about things right.

Usernames and pws are stored in a table pws are md5 hashed.

If a user puts in a successful un pw combo, I insert a record into a temp table. It stores their userid, sessionid, and date modified.

On any given page, the first function I call is my check permissions function which pulls their session id to see if it exists in that table. If it does, it makes sure their permissions level is correct. If so, nothing happens. If not, then I call header("Location: http://example.com/login");

Is there anyway someone could subvert this? If so, how can I make it secure? thanks!
9:09 pm on Sept 20, 2013 (gmt 0)

Moderator from GB 

WebmasterWorld Administrator brotherhood_of_lan is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Jan 30, 2002
posts:4842
votes: 1


Sounds fine. I assume you have exit(0) after header("Location: http://example.com/login"); so no content is served.

I run exactly the same setup. The 'temp' table is a MySQL MEMORY table so lookups are very quick based on a 16 byte MD5 session hash.

Cron job is run periodically to remove older sessions.

A nice touch is to include the redirected from URL, so the user goes back to the original page they were trying to view.
9:23 pm on Sept 20, 2013 (gmt 0)

Senior Member

WebmasterWorld Senior Member 5+ Year Member

joined:June 10, 2008
posts: 1130
votes: 0


Yea, I'm trying to get this baby off the ground, getting back to the proper url is first up in v2. I do have exit called as well. I've never done the memory table, does it really help performance that much? I suppose if there are a lot of users logged in at one time, that's what it is for?

I'll schedule something to clean out the old sessions, that's the only reason I was storing the date modified. I was thinking of updating my check permissions function to update the modified date because it get's called when they go to a new page.

Do I need to hash the session ids? I figured they were random enough as is.

I can tell you one thing, after coming from .net development, this makes me appreciate the membership provider that's built into .net. I just run the script on the db, add in a couple lines, and I've got user and sessions working. Plus, nice objects to query, update, and delete users.
9:45 pm on Sept 20, 2013 (gmt 0)

Moderator from GB 

WebmasterWorld Administrator brotherhood_of_lan is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Jan 30, 2002
posts:4842
votes: 1


PHP is much the same in that the session_start() function will pretty much deal with sessions for you and are simple to use, but it makes tables storing sessions a bit redundant as it uses temporary files instead. After revisiting the PHP manual page, it seems you can customise the way PHP handles sessions a lot more than you used to be able to.

I prefer to avoid them, particularly so when you're creating a table to store related data. Using a memory table is fast and I consider it good use of memory considering login credentials are checked on every page load.
2:20 pm on Sept 21, 2013 (gmt 0)

New User

joined:Sept 21, 2013
posts:4
votes: 0


I've more or less stopped writing my own login systems ever since I ran into this little gem:

[barebonescms.com...]

But anyway, md5 is no longer the recommended method for hashing passwords. Using bcrypt is the "better" approach. If you want to do some reading on why using bcrypt is better, this might help:

[codahale.com...]

Basically, the guy points out that hashing algorithms are built for speed, which is bad for password storage.
4:29 pm on Sept 21, 2013 (gmt 0)

Moderator from GB 

WebmasterWorld Administrator brotherhood_of_lan is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Jan 30, 2002
posts:4842
votes: 1


hugo, there's a difference between storing passwords as MD5 hashes and having an MD5 as a session hash.

'Cracking' the former compromises the account, the latter only compromises the session.

In any event, if someone has the hashed values from your DB it's only a matter of time, but I agree RE: MD5 no longer being the best for hashing passwords.
1:28 pm on Sept 23, 2013 (gmt 0)

Senior Member

WebmasterWorld Senior Member 5+ Year Member

joined:June 10, 2008
posts: 1130
votes: 0


So it looks like I can't use bcrypt as it's not installed and this site sits on a server that I don't control. I read up on just crypt, is that really the best alternative I have?
9:21 pm on Sept 23, 2013 (gmt 0)

Administrator

WebmasterWorld Administrator coopster is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:July 31, 2003
posts:12533
votes: 0


See hash():
[php.net...]
 

Join The Conversation

Moderators and Top Contributors

Hot Threads This Week

Featured Threads

Free SEO Tools

Hire Expert Members