Best way to authenticate users.

Not for 'how-to' coding questions but PHP theory instead, this forum is here for those of us who wish to learn about design aspects of programming with PHP.

Moderator: General Moderators

Post Reply
wildwobby
Forum Commoner
Posts: 66
Joined: Sat Jul 01, 2006 8:35 pm

Best way to authenticate users.

Post by wildwobby »

What is the best way to authenticate users? Is is bad practice to use IP adresses as part of the authentication? What should be done to ensure login is secure?
User avatar
Kieran Huggins
DevNet Master
Posts: 3635
Joined: Wed Dec 06, 2006 4:14 pm
Location: Toronto, Canada
Contact:

Post by Kieran Huggins »

IP's change all the time, they're completely unreliable.

Username and password is the standard for a reason ;)
R@mzes
Forum Newbie
Posts: 3
Joined: Fri Jan 05, 2007 3:48 am

Post by R@mzes »

hi, I think that article can help you. Try to :)

Authorization on PHP
User avatar
onion2k
Jedi Mod
Posts: 5263
Joined: Tue Dec 21, 2004 5:03 pm
Location: usrlab.com

Post by onion2k »

Kieran Huggins wrote:IP's change all the time, they're completely unreliable.
For normal users that's true, but if you're writing a system that's going to be used either on an internal network with static IPs, or accessed by business users behind a static IP, then locking users down to a specific IP address and only authenticating them if they're logging in from that location is a very sensible addition to a username and password system. It's another barrier to unauthorised users, and one that's completely transparent to proper users. That can only be a good thing.
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

Just be careful when using IP based locking. If the business client does move IPs their access will likely be locked. Likely resulting in frantic calls from them, and possibly them losing money.

Just be careful how you use it.
User avatar
Kieran Huggins
DevNet Master
Posts: 3635
Joined: Wed Dec 06, 2006 4:14 pm
Location: Toronto, Canada
Contact:

Post by Kieran Huggins »

maybe use a cookie & IP to auto login... if one changes / is absent, demand a full login.

Not very secure though... but people save logins in their autocomplete anyway...
wildwobby
Forum Commoner
Posts: 66
Joined: Sat Jul 01, 2006 8:35 pm

Post by wildwobby »

Thanks guys...

I've heard of people somehow getting a 'key' that grants them access for 1 page, then on the next page genereates a new key provided it hasn't timed out. I know you should also give a 15 sec. grace period to the old key in case a user double-clicking a link or somethin and doesnt in-advertantly log them selves out.

How would that be done though?

Seems like a very secure method to me.
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

Call the key generation code again. Whatever the key happens to be.

session_regenerate_id() is used many times, however it's probably not the best to regenerate it on every request, that's a bit excessive.
wildwobby
Forum Commoner
Posts: 66
Joined: Sat Jul 01, 2006 8:35 pm

Post by wildwobby »

A'ight.

Thanks Feyd.

When should I use it though? If I shouldn't use it on every page, what pages are it most important for? Login page? content pages? randomly (like only have it renew it if a random number between 0 and 1 is 0) per page...

Thanks for the help
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

It's important to regenerate the id when moving across security boundaries. For example, from not logged in to logged in; from basic pages to administrative pages; from basic pages to user setting pages. If allowed I, personally, also require logging in again at these transitions.

Basically I place them wherever one moves up a security layer.
User avatar
raghavan20
DevNet Resident
Posts: 1451
Joined: Sat Jun 11, 2005 6:57 am
Location: London, UK
Contact:

Post by raghavan20 »

wildwobby wrote:Thanks guys...

I've heard of people somehow getting a 'key' that grants them access for 1 page, then on the next page genereates a new key provided it hasn't timed out. I know you should also give a 15 sec. grace period to the old key in case a user double-clicking a link or somethin and doesnt in-advertantly log them selves out.

How would that be done though?

Seems like a very secure method to me.
can you explain this 15sec grace period you are talking about as i am not aware of this?
Post Reply