Page 1 of 1

Login Routine

Posted: Sat Feb 25, 2006 6:12 pm
by pennythetuff
I'm working on a site, I'm implementing a user area, and I need a login. I was just wondering how most of you guys do logins. I know it isn't a good idea to assume they're logged in by setting a session to a boolean value. Here's what I'm thinking.

Whenever a user is logged in update a 12 character random "key" column in the database (hash it maybe), and pass the user_id and the key to a login check routine via a session variable.

This way a user can't do a session hack and set a login session to true, and every time a user logs in it will give them a completely random and unique temporary password that changes with every login.

I don't know... just a thought.

Posted: Sat Feb 25, 2006 6:57 pm
by nickman013
So what do you need help with?

Posted: Sat Feb 25, 2006 7:53 pm
by pennythetuff
I'm just looking for advice to whether this is a good way to do things or not. To see how other people do their logins. Just to get some input, and maybe some other ways to do things.

Posted: Sat Feb 25, 2006 8:00 pm
by nickman013
I do my logins with sessions, and the username and pword are stored in a DB. I think your way would be good, but mybee complicated.

Posted: Sun Feb 26, 2006 2:41 am
by muckyrabbit
Here's what your suggesting, as i see it.

User logs in using user name and password. Once this is confirmed against the database, a random key is generated, stored in the database, then returned, along with the user_id, and stored in the session.The conbination of the two can then be checked against the db to ensure a valid login?

Sounds like a good idea to me. Dont imagine it would slow down the website to much, and a random key generater would be easy to create.

Posted: Sun Feb 26, 2006 2:45 am
by josh
Could just store a yes no for being logged in, its not like session data can be edited or "hacked" like you said (they'd have to have access to the filesystem in order to modify a session value outside of your application)

Posted: Sun Feb 26, 2006 7:03 am
by pennythetuff
Really? I had been reading some stuff about session hijacking. It doesn't really happen often or it isn't a big deal?

Posted: Sun Feb 26, 2006 9:51 am
by feyd
On shared hosts it is a vulnerable point if all users scripts use the same directory as their session storage. It is suggested to use database sessions to protect against that more. Don't store sensitive information in the session, there's no reason to. Keep that data inside the database.

Posted: Sun Feb 26, 2006 11:38 am
by jayshields
In my opinion, sessions are generally secure, unless you are passing the session ID via $_GET between pages.

As jshpro2 said, actually hacking a session is extremely difficult/rare.