Login Routine

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
pennythetuff
Forum Newbie
Posts: 22
Joined: Sun Feb 19, 2006 6:05 pm
Location: Kokomo, Indiana

Login Routine

Post by pennythetuff »

I'm working on a site, I'm implementing a user area, and I need a login. I was just wondering how most of you guys do logins. I know it isn't a good idea to assume they're logged in by setting a session to a boolean value. Here's what I'm thinking.

Whenever a user is logged in update a 12 character random "key" column in the database (hash it maybe), and pass the user_id and the key to a login check routine via a session variable.

This way a user can't do a session hack and set a login session to true, and every time a user logs in it will give them a completely random and unique temporary password that changes with every login.

I don't know... just a thought.
User avatar
nickman013
Forum Regular
Posts: 764
Joined: Sun Aug 14, 2005 12:02 am
Location: Long Island, New York

Post by nickman013 »

So what do you need help with?
pennythetuff
Forum Newbie
Posts: 22
Joined: Sun Feb 19, 2006 6:05 pm
Location: Kokomo, Indiana

Post by pennythetuff »

I'm just looking for advice to whether this is a good way to do things or not. To see how other people do their logins. Just to get some input, and maybe some other ways to do things.
User avatar
nickman013
Forum Regular
Posts: 764
Joined: Sun Aug 14, 2005 12:02 am
Location: Long Island, New York

Post by nickman013 »

I do my logins with sessions, and the username and pword are stored in a DB. I think your way would be good, but mybee complicated.
muckyrabbit
Forum Newbie
Posts: 2
Joined: Sun Feb 26, 2006 2:22 am

Post by muckyrabbit »

Here's what your suggesting, as i see it.

User logs in using user name and password. Once this is confirmed against the database, a random key is generated, stored in the database, then returned, along with the user_id, and stored in the session.The conbination of the two can then be checked against the db to ensure a valid login?

Sounds like a good idea to me. Dont imagine it would slow down the website to much, and a random key generater would be easy to create.
josh
DevNet Master
Posts: 4872
Joined: Wed Feb 11, 2004 3:23 pm
Location: Palm beach, Florida

Post by josh »

Could just store a yes no for being logged in, its not like session data can be edited or "hacked" like you said (they'd have to have access to the filesystem in order to modify a session value outside of your application)
pennythetuff
Forum Newbie
Posts: 22
Joined: Sun Feb 19, 2006 6:05 pm
Location: Kokomo, Indiana

Post by pennythetuff »

Really? I had been reading some stuff about session hijacking. It doesn't really happen often or it isn't a big deal?
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

On shared hosts it is a vulnerable point if all users scripts use the same directory as their session storage. It is suggested to use database sessions to protect against that more. Don't store sensitive information in the session, there's no reason to. Keep that data inside the database.
User avatar
jayshields
DevNet Resident
Posts: 1912
Joined: Mon Aug 22, 2005 12:11 pm
Location: Leeds/Manchester, England

Post by jayshields »

In my opinion, sessions are generally secure, unless you are passing the session ID via $_GET between pages.

As jshpro2 said, actually hacking a session is extremely difficult/rare.
Post Reply