How do you deal with user authentication?

Not for 'how-to' coding questions but PHP theory instead, this forum is here for those of us who wish to learn about design aspects of programming with PHP.

Moderator: General Moderators

Post Reply
myleow
Forum Contributor
Posts: 194
Joined: Mon Jun 21, 2004 7:05 pm
Location: California

How do you deal with user authentication?

Post by myleow »

How do you handle user authentication on every page?

Do you save the username and password into session and on top of every page validate it against the username and password in the DB?

If you leave it in the session, its a potential security risk.

How do you do it?

Regards
Mian
User avatar
patrikG
DevNet Master
Posts: 4235
Joined: Thu Aug 15, 2002 5:53 am
Location: Sussex, UK

Re: How do you deal with user authentication?

Post by patrikG »

myleow wrote:If you leave it in the session, its a potential security risk.
It isn't. The safety of session depends entirely on the server environment and setup. Generally, you can work under the assumption that session are safe. Most crucially, you will have to consider the best settings for session timeouts for your application.

Naturally, you won't want to leave a password in a session-variable. Why would you? All an application needs to know is whether the use is logged in or not. Create a unique user-id and have that in the session, otherwise you'll have to log the user in on every single page.

Have a look at the session tutorials at Zend.com, read up on session_set_save_handler in the php manual.
User avatar
Christopher
Site Administrator
Posts: 13596
Joined: Wed Aug 25, 2004 7:54 pm
Location: New York, NY, US

Post by Christopher »

If you are concerned about someone accessing the session files, you don't need to save their password in the session to check if they are logged in (you don't need it anyway). Your access control can be as simple as:

Code: Select all

if ($_SESSION['userid']) {
// allow access
} else {
// access denied
}
When the user is authenticated you set $_SESSION['userid'], when they log-out your unset($_SESSION['userid'])
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

if you follow arborint's advice and use [php_man]unset[/php_man], use [php_man]isset[/php_man] instead of running the 'if' straight.
Last edited by feyd on Fri Sep 24, 2004 4:19 pm, edited 1 time in total.
User avatar
m3mn0n
PHP Evangelist
Posts: 3548
Joined: Tue Aug 13, 2002 3:35 pm
Location: Calgary, Canada

Post by m3mn0n »

arborint wrote:When the user is authenticated you set $_SESSION['userid'], when they log-out your unset($_SESSION['userid'])
Yep. That's pretty much the standard way I do it also.

Some applications do store the username, and some other mumbo jumbo in a SESSION/COOKIE var, but in a low security (non-SSL) application, it's not needed, and some would consider it bad design.
jason
Site Admin
Posts: 1767
Joined: Thu Apr 18, 2002 3:14 pm
Location: Montreal, CA
Contact:

Post by jason »

This is assuming the user is already logged in successfully:

Check integrity of the information via hashing method. This includes user-agent checking.

Check status of user in DB. If the user's status get's set from active to banned, or something else while logged in, I want to know about it.

Check to see if the user has any pending actions to perform. We can set actions at any time, and these actions are a queue (FIFO). Sample actions are: re-enter password, agree to terms and conditions, fill in needed information.

We use sessions, and are behind SSL all the way. =)
Post Reply