Hey guys,
I've been doing much searching and I've found some good information, but much of it is dated. Can we have a discussion on what you personally value in terms of a good secure login script?
I think many people have a need for this type of guidance. My History: I consider myself an intermediate hobbyist PHP programmer. I am interested in learning some techniques of the pro's.
Let us consider a basic ecommerce site framework. I figure that can be adapted to most anything.
Sessions:
- I prefer to write a DB driven handler. I've written some basic ones in the past, though I am currently chewing through "Professional PHP5" by wrox, and I like their basic implementation. I can link to the code/db structure if you wish to see it, but it is more a proof of concept than anything impressive.
- How do you structure / store your session variables? Do you encrypt it?
- How do you track return users? Do you use cookies, if so how? And how do you verify. The wrox book suggested, among other things, comparing the user agent string.
- How long do you allow sessions before they expire (garbage collection).
- How do you code in a friendly manner? Example: Sessions expires durring CC processing.
Cookies:
-Do you use them at all, how many, and for what?
-Do you use the to track return users?
User Authentication:
- Please provide code samples if you dont mind. I am very interested in how you like to do this.
-Once the user is authenticated how do you track them as they traverse your site, and how do you handle validity of sessions, to avoid session hijacking?
I realize I am asking alot, but this is one of those threads that I could see having some real value as a sticky. If there is already something like this thread, and I missed the boat, a link would be appreciated!
Session / Login Best Practices?
Moderator: General Moderators
- flying_circus
- Forum Regular
- Posts: 732
- Joined: Wed Mar 05, 2008 10:23 pm
- Location: Sunriver, OR
- aaronhall
- DevNet Resident
- Posts: 1040
- Joined: Tue Aug 13, 2002 5:10 pm
- Location: Back in Phoenix, missing the microbrews
- Contact:
Re: Session / Login Best Practices?
PHP has built-in session handling that solves a lot of these problems for you. They're file based, but there's no reason implement DB based session storage unless you plan on horizontally scaling and load balancing, in which case PHP will let you plug in your own DB storage routines.flying_circus wrote: - I prefer to write a DB driven handler. I've written some basic ones in the past, though I am currently chewing through "Professional PHP5" by wrox, and I like their basic implementation. I can link to the code/db structure if you wish to see it, but it is more a proof of concept than anything impressive.
They'd ideally be stored server side, as in the case of PHP's session handler -- if that's the case, there's no practical reason to encrypt session variables.flying_circus wrote:- How do you structure / store your session variables? Do you encrypt it?
The only way to reliably track users over HTTP is by using cookies (the vast majority of clients accept cookies these days).flying_circus wrote:- How do you track return users? Do you use cookies, if so how? And how do you verify. The wrox book suggested, among other things, comparing the user agent string.
The cookie expire time for PHP sessions is configurable... the right setting depends on the context, but the default will suffice in most cases. Old session files are GC'd automatically.flying_circus wrote:- How long do you allow sessions before they expire (garbage collection).
This is something that PHP doesn't handle if the session cookie expires. An unguessable string stored in a cookie is the de facto solution -- associate the string somehow with your user data and rebuild the session on a match.flying_circus wrote:-Do you use the to track return users?