Session / Login Best Practices?

Not for 'how-to' coding questions but PHP theory instead, this forum is here for those of us who wish to learn about design aspects of programming with PHP.

Moderator: General Moderators

Post Reply
User avatar
flying_circus
Forum Regular
Posts: 732
Joined: Wed Mar 05, 2008 10:23 pm
Location: Sunriver, OR

Session / Login Best Practices?

Post by flying_circus »

Hey guys,

I've been doing much searching and I've found some good information, but much of it is dated. Can we have a discussion on what you personally value in terms of a good secure login script?

I think many people have a need for this type of guidance. My History: I consider myself an intermediate hobbyist PHP programmer. I am interested in learning some techniques of the pro's.


Let us consider a basic ecommerce site framework. I figure that can be adapted to most anything.

Sessions:
- I prefer to write a DB driven handler. I've written some basic ones in the past, though I am currently chewing through "Professional PHP5" by wrox, and I like their basic implementation. I can link to the code/db structure if you wish to see it, but it is more a proof of concept than anything impressive.

- How do you structure / store your session variables? Do you encrypt it?

- How do you track return users? Do you use cookies, if so how? And how do you verify. The wrox book suggested, among other things, comparing the user agent string.

- How long do you allow sessions before they expire (garbage collection).

- How do you code in a friendly manner? Example: Sessions expires durring CC processing.


Cookies:
-Do you use them at all, how many, and for what?

-Do you use the to track return users?


User Authentication:
- Please provide code samples if you dont mind. I am very interested in how you like to do this.

-Once the user is authenticated how do you track them as they traverse your site, and how do you handle validity of sessions, to avoid session hijacking?



I realize I am asking alot, but this is one of those threads that I could see having some real value as a sticky. If there is already something like this thread, and I missed the boat, a link would be appreciated!
User avatar
aaronhall
DevNet Resident
Posts: 1040
Joined: Tue Aug 13, 2002 5:10 pm
Location: Back in Phoenix, missing the microbrews
Contact:

Re: Session / Login Best Practices?

Post by aaronhall »

flying_circus wrote: - I prefer to write a DB driven handler. I've written some basic ones in the past, though I am currently chewing through "Professional PHP5" by wrox, and I like their basic implementation. I can link to the code/db structure if you wish to see it, but it is more a proof of concept than anything impressive.
PHP has built-in session handling that solves a lot of these problems for you. They're file based, but there's no reason implement DB based session storage unless you plan on horizontally scaling and load balancing, in which case PHP will let you plug in your own DB storage routines.
flying_circus wrote:- How do you structure / store your session variables? Do you encrypt it?
They'd ideally be stored server side, as in the case of PHP's session handler -- if that's the case, there's no practical reason to encrypt session variables.
flying_circus wrote:- How do you track return users? Do you use cookies, if so how? And how do you verify. The wrox book suggested, among other things, comparing the user agent string.
The only way to reliably track users over HTTP is by using cookies (the vast majority of clients accept cookies these days).
flying_circus wrote:- How long do you allow sessions before they expire (garbage collection).
The cookie expire time for PHP sessions is configurable... the right setting depends on the context, but the default will suffice in most cases. Old session files are GC'd automatically.
flying_circus wrote:-Do you use the to track return users?
This is something that PHP doesn't handle if the session cookie expires. An unguessable string stored in a cookie is the de facto solution -- associate the string somehow with your user data and rebuild the session on a match.
Post Reply