secure authentication method
Moderator: General Moderators
secure authentication method
Greetings
I'm looking for an article/tutorial/sample/method for a secure authentication method for user login and password.
can anyone give some suggestions?
TIA
Almeida
I'm looking for an article/tutorial/sample/method for a secure authentication method for user login and password.
can anyone give some suggestions?
TIA
Almeida
-
jakobdoppler
- Forum Commoner
- Posts: 46
- Joined: Wed May 21, 2003 6:16 pm
Hehe seached for years, here are my best results: Basically you have to decide , whether to use a simple HTML Form Authentication or HTTP Basic or Digest Authentication, which offers a little more security but needs some workaround to create a logout (), since a Browser caches the credentials until you close it.
Besides these links below, have a look at "my search for the holy grail".
viewtopic.php?t=24126&highlight=
viewtopic.php?t=25571&highlight=
viewtopic.php?t=23923&highlight=
*hth* _yak
outofabox
-----------
1) patUser , haven't tried out, but seems to be very good + documentation
2) Pear Authentication Classes (+ HTTP Basic/ HTTP Digest)
3) didn't try this one
tutorials
-----------
4) Authentication Module with HTTP Basic Authentication, thats what I used finally with some modifications, I prefered this one to Pear:Auth because i could find a way to use Basic WWW Authentication with a Logout feature.
5.) different scripts all somehow related, some are easy to follow and implement
---
[1] http://www.php-tools.de/ >> patUser
(tutorial part 1/2/3)
http://www.devshed.com/c/a/PHP/User-Aut ... er-part-1/
http://www.devshed.com/c/a/PHP/User-Aut ... er-part-2/
http://www.devshed.com/c/a/PHP/User-Aut ... er-part-3/
[2] http://pear.php.net/packages.php?catpid ... entication
[3] http://www.xiven.com/sourcecode/digestauthentication
[4] viewtopic.php?t=24789
[5] http://www.evolt.org/article/comment/17 ... index.html
http://martin.f2o.org/php/
http://www.evolt.org/article/Creating_a ... /17/19661/
http://www.evolt.org/article/Creating_a ... /17/27093/
info on HTTP authentication and drawbacks
http://www.php.net/manual/tw/features.http-auth.php
http://wiki.slugbug.org.uk/HTTP_Authentication
Besides these links below, have a look at "my search for the holy grail".
viewtopic.php?t=24126&highlight=
viewtopic.php?t=25571&highlight=
viewtopic.php?t=23923&highlight=
*hth* _yak
outofabox
-----------
1) patUser , haven't tried out, but seems to be very good + documentation
2) Pear Authentication Classes (+ HTTP Basic/ HTTP Digest)
3) didn't try this one
tutorials
-----------
4) Authentication Module with HTTP Basic Authentication, thats what I used finally with some modifications, I prefered this one to Pear:Auth because i could find a way to use Basic WWW Authentication with a Logout feature.
5.) different scripts all somehow related, some are easy to follow and implement
---
[1] http://www.php-tools.de/ >> patUser
(tutorial part 1/2/3)
http://www.devshed.com/c/a/PHP/User-Aut ... er-part-1/
http://www.devshed.com/c/a/PHP/User-Aut ... er-part-2/
http://www.devshed.com/c/a/PHP/User-Aut ... er-part-3/
[2] http://pear.php.net/packages.php?catpid ... entication
[3] http://www.xiven.com/sourcecode/digestauthentication
[4] viewtopic.php?t=24789
[5] http://www.evolt.org/article/comment/17 ... index.html
http://martin.f2o.org/php/
http://www.evolt.org/article/Creating_a ... /17/19661/
http://www.evolt.org/article/Creating_a ... /17/27093/
info on HTTP authentication and drawbacks
http://www.php.net/manual/tw/features.http-auth.php
http://wiki.slugbug.org.uk/HTTP_Authentication
-
jakobdoppler
- Forum Commoner
- Posts: 46
- Joined: Wed May 21, 2003 6:16 pm
Logout is really easy:
So basically you simply have to delete all Session_log entries with the current username, IP and Session_id. Display the logout message and all is done. The user has to reauthorize to login again.
Code: Select all
<?php
$sess = mysql_escape_string(session_id());
$user = mysql_escape_string($_SERVER['PHP_AUTH_USER']);
$addressip = mysql_escape_string($_SERVER['REMOTE_ADDR']);
$delete_str = "DELETE FROM Session_Log WHERE Session = '$sess' OR User = '$user' OR IP_Address = '$addressip'";
$result = @mysql_query($delete_str);
....
?>-
jakobdoppler
- Forum Commoner
- Posts: 46
- Joined: Wed May 21, 2003 6:16 pm
@AGISB
I came up with the same idea, just without using the ip_address, as it is easily possible to habe several users in the same IP range.
In the tutorials section I wanted to leave some comment on your code, but since this forum is restricted, I leave it here, perhaps you can modify you totorial, if you find this information valueable. I am going to refer myself to the last script in this tutorial - Authentication Modul (HTTP Basic)
1.) In the verify_user function I would recommend using md5 hash instead of using the mysql password() function http://dev.mysql.com/doc/mysql/en/Appli ... d_use.html
3.) You could point out, what is necessary to get the script run, like leaving all the dashes in $just-a-name and $just-a-time names out. That sounds a little bit silly to mention this, but for my part I didn't knew that dashes are not allowed for naming.
4.) It was very good to mention, that the line helps passing subdomains, but if e.g. I want to pass the session from a page that is secured by the script to a non secured area, it does not work for me, I have to drop that line. (mhh wondering if my point here makes sense at all ?!)
5.) Maybe it would be fine if you could post a version of the final script with the log_failed_user($user) lines included and the simple added Logout discussed here.
Thx again for your good tutorial _yak
I came up with the same idea, just without using the ip_address, as it is easily possible to habe several users in the same IP range.
In the tutorials section I wanted to leave some comment on your code, but since this forum is restricted, I leave it here, perhaps you can modify you totorial, if you find this information valueable. I am going to refer myself to the last script in this tutorial - Authentication Modul (HTTP Basic)
1.) In the verify_user function I would recommend using md5 hash instead of using the mysql password() function http://dev.mysql.com/doc/mysql/en/Appli ... d_use.html
2.) On line 51 the query on TStamp column must be named time_stamp to run properlyThe PASSWORD() function is used by the authentication system in MySQL Server, you should not use it in your own applications change to md5...
3.) You could point out, what is necessary to get the script run, like leaving all the dashes in $just-a-name and $just-a-time names out. That sounds a little bit silly to mention this, but for my part I didn't knew that dashes are not allowed for naming.
4.) It was very good to mention, that the line
Code: Select all
<?php
session_set_cookie_params(0, '/', '.foo.com');
?>5.) Maybe it would be fine if you could post a version of the final script with the log_failed_user($user) lines included and the simple added Logout discussed here.
Thx again for your good tutorial _yak
@jakobdoppler
As I place every IP-Block in the database I can easily drop every entry with the current IP as only the current user can have the ip and I want to log him out. If another user has the same IP (e.g. AOL proxy) entry in the database it is also invalid as that user must have a new IP now. However I noticed a problem in the tutorial. I should also update the ip-address in the session log to make sure it is always the correct one.
However as all entries with the username are deleted the user is also effectively logged out and any possible left IP entry would be gone within 15 minutes anyway.
1) Yes indeed this should be recommended. I kept it simple here.
2) I changed fieldnames and var names from my actual used functions as known var names could pose a possible security risk. So there might be a problem with different renaming.
3) I just placed a placeholder for the people to replace. I should have mentioned this indeed
4) weird. This is working fine for me. Might be a php.ini issue or php version issue.
5) Problem is that I cannot post or correct the tutorial as the forum is blocked for posting as I also still have some german notes in it
As I place every IP-Block in the database I can easily drop every entry with the current IP as only the current user can have the ip and I want to log him out. If another user has the same IP (e.g. AOL proxy) entry in the database it is also invalid as that user must have a new IP now. However I noticed a problem in the tutorial. I should also update the ip-address in the session log to make sure it is always the correct one.
However as all entries with the username are deleted the user is also effectively logged out and any possible left IP entry would be gone within 15 minutes anyway.
1) Yes indeed this should be recommended. I kept it simple here.
2) I changed fieldnames and var names from my actual used functions as known var names could pose a possible security risk. So there might be a problem with different renaming.
3) I just placed a placeholder for the people to replace. I should have mentioned this indeed
4) weird. This is working fine for me. Might be a php.ini issue or php version issue.
5) Problem is that I cannot post or correct the tutorial as the forum is blocked for posting as I also still have some german notes in it
-
jakobdoppler
- Forum Commoner
- Posts: 46
- Joined: Wed May 21, 2003 6:16 pm