Session / Login Best Practices?
Posted: Fri Mar 14, 2008 1:33 am
Hey guys,
I've been doing much searching and I've found some good information, but much of it is dated. Can we have a discussion on what you personally value in terms of a good secure login script?
I think many people have a need for this type of guidance. My History: I consider myself an intermediate hobbyist PHP programmer. I am interested in learning some techniques of the pro's.
Let us consider a basic ecommerce site framework. I figure that can be adapted to most anything.
Sessions:
- I prefer to write a DB driven handler. I've written some basic ones in the past, though I am currently chewing through "Professional PHP5" by wrox, and I like their basic implementation. I can link to the code/db structure if you wish to see it, but it is more a proof of concept than anything impressive.
- How do you structure / store your session variables? Do you encrypt it?
- How do you track return users? Do you use cookies, if so how? And how do you verify. The wrox book suggested, among other things, comparing the user agent string.
- How long do you allow sessions before they expire (garbage collection).
- How do you code in a friendly manner? Example: Sessions expires durring CC processing.
Cookies:
-Do you use them at all, how many, and for what?
-Do you use the to track return users?
User Authentication:
- Please provide code samples if you dont mind. I am very interested in how you like to do this.
-Once the user is authenticated how do you track them as they traverse your site, and how do you handle validity of sessions, to avoid session hijacking?
I realize I am asking alot, but this is one of those threads that I could see having some real value as a sticky. If there is already something like this thread, and I missed the boat, a link would be appreciated!
I've been doing much searching and I've found some good information, but much of it is dated. Can we have a discussion on what you personally value in terms of a good secure login script?
I think many people have a need for this type of guidance. My History: I consider myself an intermediate hobbyist PHP programmer. I am interested in learning some techniques of the pro's.
Let us consider a basic ecommerce site framework. I figure that can be adapted to most anything.
Sessions:
- I prefer to write a DB driven handler. I've written some basic ones in the past, though I am currently chewing through "Professional PHP5" by wrox, and I like their basic implementation. I can link to the code/db structure if you wish to see it, but it is more a proof of concept than anything impressive.
- How do you structure / store your session variables? Do you encrypt it?
- How do you track return users? Do you use cookies, if so how? And how do you verify. The wrox book suggested, among other things, comparing the user agent string.
- How long do you allow sessions before they expire (garbage collection).
- How do you code in a friendly manner? Example: Sessions expires durring CC processing.
Cookies:
-Do you use them at all, how many, and for what?
-Do you use the to track return users?
User Authentication:
- Please provide code samples if you dont mind. I am very interested in how you like to do this.
-Once the user is authenticated how do you track them as they traverse your site, and how do you handle validity of sessions, to avoid session hijacking?
I realize I am asking alot, but this is one of those threads that I could see having some real value as a sticky. If there is already something like this thread, and I missed the boat, a link would be appreciated!