Page 1 of 1

LOGIN - Stay Logged-in -- Session Cookies -- Sessions

Posted: Thu Jun 08, 2006 9:19 pm
by tecktalkcm0391
I can't find anything to help me with this:

I have a database with the usernames and passwords in it, and I have them 'encrypted', using mcrypt_encrypt more than once to encrypt the users' password. I know how to get this data back to the raw password, but what I want to do is make it so that when the user logins in a session is set with the username and pw (encrypted version) is in their with another variable of loggin == 1 if their logged in. I also want to make it so that if the users selects stay logged in they do just that. I have the login page on http://www.URL.com/Login/, and I want the session and cookies to be for the WHOLE website: http://www.URL.com/. I just can't get anything to work. So some examples of codes, and stuff to read could REALLY HELP. This is day 12 on PHP, so yeah I really don't know a lot, but I am learning.... I want to get my website done by the end of this summer, so I can be done with it.

THANKS FOR ALL OF THE HELP IN ADVANCE.....
CHRIS!!!!

Posted: Thu Jun 08, 2006 9:43 pm
by bdlang
Essentially, you check the $_SESSION['username'] and $_SESSION['logged_in'] values on each script, make certain they're set, and that's usually enough to validate. You could run a call to the database each page request, but I haven't found that necessary. I don't store the password, hashed or otherwise, in a session or cookie variable. I use a single call to the database with username and password to validate the user on each login, then store and check the $_SESSION values. Another method aside from a 'logged_in' value, is to hash the user's current IP address. It can't change during the session; if it does, the session has theoretically been hijacked. (I should mention, if someone has the ability and know-how to hijack your session, they may be able to spoof the IP address, but is somebody really going to go to all this length?)

(untested pseudocode)

Code: Select all

// index.php
// got to start the session, of course!
session_start();

// assign the hashed IP addr
$hashedIP= md5($_SERVER['REMOTE_ADDR']);

// check the user's values
if ( !isset($_SESSION['username']) && !isset($_SESSION['hashedIP']) ) {
    // user hasn't logged in at all, redirect to login
    header("Location: login.php");
} elseif ( $_SESSION['hashedIP'] !== $hashedIP ) {
    // potential security issue, force the user to logout
    header("Location: logout.php");
} else {
    // allow the user in
}
You want to perform this same set of checks per every script you allow the user access to. You can see how setting another value such as 'user_auth_level' could allow you to have admins or moderators view the site in a slightly different manner than regular users. This is pretty basic, please don't take it to be the best security model.

If you have to have a validation process by database call on every script, you might consider using a different value than the actual password, like a temporary hashed session value stored in a seperate table, maybe called 'current_logins'. There's a good tutorial on the site by Maugrim entitled 'Challenge/Response secure login process' that should give you some ideas on how to implement this.

Posted: Thu Jun 08, 2006 9:55 pm
by tecktalkcm0391
THANKS


any other input from anyone? I like bdlang, but as he said:
...[D]on't take it to be the best security model.

So I am not, even though it would work fine, and I want to see what other people think.

Posted: Thu Jun 08, 2006 9:59 pm
by bdlang
tecktalkcm0391 wrote:
So I am not, even though it would work fine, and I want to see what other people think.
As would I.

Posted: Fri Jun 09, 2006 10:00 pm
by tecktalkcm0391
any other ppls input?

Posted: Sun Jun 11, 2006 9:14 am
by tecktalkcm0391
Can anyone answer my question? Like the one I posted on: viewtopic.php?t=49862