Jump to content

Making Log-In Secure

doubledee

By doubledee
in PHP Coding Help

 Share

Recommended Posts

doubledee Advanced Member

doubledee

Posted
Posted

What kinds of things can I do to make Logging-In and being Logged-In *secure*??

 

I get the whole form validation thingy, but what about from the standpoint of how/where I store data in my database and how I keep track of who is logged in and where they can go, and so on?

 

Thanks,

 

 

Debbie

Link to comment
Share on other sites
coupe-r Regular Member

coupe-r

Posted
Posted

Well, for starters...

 

-- Hash your passwords as well as using a very good salt.

-- On successful login, create a sessions record in a sessions table as well as a $_SESSION variable that passes around to your site.  Each page can check to make sure the same person is logged in based on the fields in your variable / database, such as IP address, Web Browser, Session ID, etc.  If anything differs, immediately log off.  IF they get logged of for this reason, you can insert a record in an error_log table for you to track.

 

There is a ton of stuff out there.

Link to comment
Share on other sites
doubledee Advanced Member

doubledee

Posted
  • Author
Posted

Well, for starters...

 

-- Hash your passwords as well as using a very good salt.

-- On successful login, create a sessions record in a sessions table as well as a $_SESSION variable that passes around to your site.  Each page can check to make sure the same person is logged in based on the fields in your variable / database, such as IP address, Web Browser, Session ID, etc.  If anything differs, immediately log off.  IF they get logged of for this reason, you can insert a record in an error_log table for you to track.

 

There is a ton of stuff out there.

 

Sounds complicated.

 

First, though, is it insecure to just use a SESSION variable to test if someone is logged in?

 

 

Debbie

 

Link to comment
Share on other sites
doubledee Advanced Member

doubledee

Posted
  • Author
Posted

Just a SESSION variable, kinda.  Sessions can be hijacked.  If you have a session variable and then check it against your DB on each page, it is a lot more secure, especially if you check it against IP address and web browser.

 

1.) Isn't it complicated to check a Session against a database record?

 

2.) Doesn't having to query the database *every* time a use surfs to a new page require an ENORMOUS amount of resources?!  :o

 

3.) What if someone's IP Address changes?

 

4.) Can you tell with absolute certainty what the "User Agent" really is?

 

5.) Assuming this is a path I decide to go down, could you help me with the code?

 

 

I am re-reading my old code for Logging In and can maybe post it here in a while.

 

Haven't coded PHP since August so my brain has cobwebs in it?!  :-[

 

Thanks,

 

 

Debbie

 

Link to comment
Share on other sites
coupe-r Regular Member

coupe-r

Posted
Posted

1. No

2. No.  Depending on the application, you could see a ton of queries per page.  I have 10-15 queries per page with what I work on.

3.I just used IP as an example.  But more than likely wouldn't change while they are logged in.

4.Sure, it will tell you what browser they use.  Each string is different for each browser.

5.We cannot do the code for you, but will help with the code you provide.

 

 

Link to comment
Share on other sites
doubledee Advanced Member

doubledee

Posted
  • Author
Posted

1. No

2. No.  Depending on the application, you could see a ton of queries per page.  I have 10-15 queries per page with what I work on.

3. I just used IP as an example.  But more than likely wouldn't change while they are logged in.

4. Sure, it will tell you what browser they use.  Each string is different for each browser.

5. We cannot do the code for you, but will help with the code you provide.

 

Can you post some sample code of what you do or provide some links?

 

I have no clue where to begin.

 

I can post the code I have now, but it only uses Sessions.

 

Thanks,

 

 

Debbie

 

Link to comment
Share on other sites
xyph Advanced Member

xyph

Posted
Posted

Wow....  590 posts and you havn't picked up this stuff yet....  :shrug:

 

Picked up this stuff yet? HTTP security is an extremely complex topic. Most Gurus/Admins here rely on 3rd party methods or classes designed by people with a far deeper understanding of this than us.

 

Beyond that, security can go far deeper than simply locking-down your user-verification methods. There are many ways a hole in an unrelated section of code could lead to compromises of user security.

Link to comment
Share on other sites
doubledee Advanced Member

doubledee

Posted
  • Author
Posted

Wow....  590 posts and you havn't picked up this stuff yet....  :shrug:

 

Picked up this stuff yet? HTTP security is an extremely complex topic. Most Gurus/Admins here rely on 3rd party methods or classes designed by people with a far deeper understanding of this than us.

 

There is never a shortage of sarcasm online...

 

 

Beyond that, security can go far deeper than simply locking-down your user-verification methods. There are many ways a hole in an unrelated section of code could lead to compromises of user security.

 

Can you recommend some tutorials or provide some starting code that would help me store my session data in the database?  (Assuming you agree with that approach?!)

 

Thanks,

 

 

Debbie

 

Link to comment
Share on other sites
xyph Advanced Member

xyph

Posted
Posted

Can you recommend some tutorials or provide some starting code that would help me store my session data in the database?  (Assuming you agree with that approach?!)

 

Thanks,

 

 

Debbie

 

 

There's no _real_ added security storing a session in a database.

If you want to create a database-driven session handler, that's a different story, and there's tons of pre-built classes you can use for that.

 

Again, for user security, please read the article in my signature.

Link to comment
Share on other sites
doubledee Advanced Member

doubledee

Posted
  • Author
Posted

Of course I was only kidding.  I can post some when I get home from work...

 

FWIW, 590 posts is nothing.  Secondly, I am an on-again off-again PHP'er due to life situations, so when I do learn how to do something I end up forgetting it.

 

Last time I did Authentication was in August.

 

 

Yes, some guidance would be appreciated.

 

 

Debbie

 

Link to comment
Share on other sites
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.