Best way to authenticate users.
Moderator: General Moderators
Best way to authenticate users.
What is the best way to authenticate users? Is is bad practice to use IP adresses as part of the authentication? What should be done to ensure login is secure?
- Kieran Huggins
- DevNet Master
- Posts: 3635
- Joined: Wed Dec 06, 2006 4:14 pm
- Location: Toronto, Canada
- Contact:
For normal users that's true, but if you're writing a system that's going to be used either on an internal network with static IPs, or accessed by business users behind a static IP, then locking users down to a specific IP address and only authenticating them if they're logging in from that location is a very sensible addition to a username and password system. It's another barrier to unauthorised users, and one that's completely transparent to proper users. That can only be a good thing.Kieran Huggins wrote:IP's change all the time, they're completely unreliable.
- Kieran Huggins
- DevNet Master
- Posts: 3635
- Joined: Wed Dec 06, 2006 4:14 pm
- Location: Toronto, Canada
- Contact:
Thanks guys...
I've heard of people somehow getting a 'key' that grants them access for 1 page, then on the next page genereates a new key provided it hasn't timed out. I know you should also give a 15 sec. grace period to the old key in case a user double-clicking a link or somethin and doesnt in-advertantly log them selves out.
How would that be done though?
Seems like a very secure method to me.
I've heard of people somehow getting a 'key' that grants them access for 1 page, then on the next page genereates a new key provided it hasn't timed out. I know you should also give a 15 sec. grace period to the old key in case a user double-clicking a link or somethin and doesnt in-advertantly log them selves out.
How would that be done though?
Seems like a very secure method to me.
- feyd
- Neighborhood Spidermoddy
- Posts: 31559
- Joined: Mon Mar 29, 2004 3:24 pm
- Location: Bothell, Washington, USA
Call the key generation code again. Whatever the key happens to be.
session_regenerate_id() is used many times, however it's probably not the best to regenerate it on every request, that's a bit excessive.
session_regenerate_id() is used many times, however it's probably not the best to regenerate it on every request, that's a bit excessive.
- feyd
- Neighborhood Spidermoddy
- Posts: 31559
- Joined: Mon Mar 29, 2004 3:24 pm
- Location: Bothell, Washington, USA
It's important to regenerate the id when moving across security boundaries. For example, from not logged in to logged in; from basic pages to administrative pages; from basic pages to user setting pages. If allowed I, personally, also require logging in again at these transitions.
Basically I place them wherever one moves up a security layer.
Basically I place them wherever one moves up a security layer.
- raghavan20
- DevNet Resident
- Posts: 1451
- Joined: Sat Jun 11, 2005 6:57 am
- Location: London, UK
- Contact:
can you explain this 15sec grace period you are talking about as i am not aware of this?wildwobby wrote:Thanks guys...
I've heard of people somehow getting a 'key' that grants them access for 1 page, then on the next page genereates a new key provided it hasn't timed out. I know you should also give a 15 sec. grace period to the old key in case a user double-clicking a link or somethin and doesnt in-advertantly log them selves out.
How would that be done though?
Seems like a very secure method to me.