session authentication with cookie and ip check

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
User avatar
m@ndio
Forum Regular
Posts: 163
Joined: Fri Jun 06, 2003 12:09 pm
Location: UK

session authentication with cookie and ip check

Post by m@ndio »

is this the correct way to go about doing it?

1. create a session and grab the session ID

2. this session ID is already a MD5 hash but I MD5 it again (dunno why it's just my thing).

3. get I.P of user and MD5 it

4. store the encrypted session ID and encrypted I.P in temp table in database

5. create a cookie on the client machine and store their encrypted session ID and encrypted I.P.

6. check details from the cookie against details in the database if they match bob's your aunty.

How would records get deleted from the temp database, if I have no access to cron jobs?

any ideas?
sjon
Forum Newbie
Posts: 6
Joined: Thu Jun 26, 2003 5:11 pm
Location: EU.NL

Post by sjon »

1. start session.
2a. if new session, add md5 of remote_addr + user_agent to session vars (md5 is not really needed, but you do get a nice 32char string)
2b. if existing session, check that md5 to current input. if they match, bob's your uncle (last time I checked that is...)

if you do want to keep session stuff in a database, use a timestamp field in that table. everytime you update a row, that field get's updates automagically (read the docs), and run a delete query once in a while that deletes everything that's more than a day old or so...
example:

Code: Select all

<?php

   if (time() % 7 == 0) {
       mysql_query('DELETE FROM table WHERE ts_field < DATE_SUB(NOW(), INTERVAL 7 DAY)');
   }

?>
if you want to add persistent logins for your users, add a second cookie, with a md5 hash of their user_agent, user_id + your_secret_string as it's value, plus maybe their userid attached, eg:

Code: Select all

<?php

   if ($persistent) {
      $hash = md5($_SERVER['HTTP_USER_AGENT'] . $user_id . 'hg94h4$%dg');
      $hash .= ':' . $user_id.  ':' . time();
      setcookie('sid_p', $hash, time()+$lifetime, '/');
   }

   // to retrieve
   list($hash, $uid, $lastlogin) = explode(':', $_COOKIE['sid_p']);

?>
if you want real security, use ssl...




Sjon.
mk
Forum Newbie
Posts: 5
Joined: Mon Jul 07, 2003 4:56 pm

Post by mk »

When storing the IP address (md5 or not), isn't this causing problems for AOL users accessing your site?

Unfortunately, AOL is still extremely popular among users and, from what I understand, bounce across many different proxies.

A fairly obvious problem would be that AOL users, and possibly other multiple-proxy users, will keep getting logged out of the site unintentionally.

Am I mistaken?
Post Reply