Check if logged
Moderator: General Moderators
Check if logged
Alright, here's the problem I'm having... I looked over what's-his-name's tutorial on challenge/response logging in, and ok, that's great. But now what would be the best method for checking if someone is still logged in? At the moment, all I can figure is to store a hashed/encrypted version of their password in their session/cookies, then checking it before doing anything that needs logging in. That seems a pretty dumb way to do it to me, though. Should I use a challenge/response method for the checking as well? And if so, how would I go about it?
e.g.
if (is_logged()) { //...
e.g.
if (is_logged()) { //...
- Ambush Commander
- DevNet Master
- Posts: 3698
- Joined: Mon Oct 25, 2004 9:29 pm
- Location: New Jersey, US
Session IDs should be sufficient. There's a chance that the cookie containing it could be intercepted, but nothing's sacred.
You might be talking about "remember me", in that case, I'd suggest decoupling it from passwords and instead issue randomly generated tokens, stored in the database with expiration dates.
You might be talking about "remember me", in that case, I'd suggest decoupling it from passwords and instead issue randomly generated tokens, stored in the database with expiration dates.
- Maugrim_The_Reaper
- DevNet Master
- Posts: 2704
- Joined: Tue Nov 02, 2004 5:43 am
- Location: Ireland
All you really need is some SESSION flag that can be looked for. Say the user logs in - you set up a var say $_SESSION['authenticated'] = 1. You can check that this is set on every page request. If a login fails, or this is not set (new visitor) set it to 0.
You can also do a bit more. SESSION can also store the username and/or user ID (depends). The Database can store the session ID (from session_id() function). On a request you can validate a user:
a) check that $_SESSION['authenticated'] == 1
b) use the SESSION data to look up the user on the database (if exists or not)
c) ensure the session_id() value matches the session ID stored to database for that user. (remember this will not agree once session has expired - so it will force a new login)
You can look through this forum for other ideas to secure sessions, e.g. session ID regeneration etc.
You can also do a bit more. SESSION can also store the username and/or user ID (depends). The Database can store the session ID (from session_id() function). On a request you can validate a user:
a) check that $_SESSION['authenticated'] == 1
b) use the SESSION data to look up the user on the database (if exists or not)
c) ensure the session_id() value matches the session ID stored to database for that user. (remember this will not agree once session has expired - so it will force a new login)
You can look through this forum for other ideas to secure sessions, e.g. session ID regeneration etc.
Well, it just doesn't look secure to me. For a session flag, all someone would have to know is what variables to set and what the other person's username is. Voila, logged in.
I suppose the session_id() value would be the hook, though. I think I'll generate a random value and use that, though.
Thanks.
I suppose the session_id() value would be the hook, though. I think I'll generate a random value and use that, though.
Thanks.
- Ambush Commander
- DevNet Master
- Posts: 3698
- Joined: Mon Oct 25, 2004 9:29 pm
- Location: New Jersey, US
- Maugrim_The_Reaper
- DevNet Master
- Posts: 2704
- Joined: Tue Nov 02, 2004 5:43 am
- Location: Ireland
- John Cartwright
- Site Admin
- Posts: 11470
- Joined: Tue Dec 23, 2003 2:10 am
- Location: Toronto
- Contact:
- Ambush Commander
- DevNet Master
- Posts: 3698
- Joined: Mon Oct 25, 2004 9:29 pm
- Location: New Jersey, US
My personal view on the matter is that unless you're doing commercial applications (and most of the time not even there) it is a fair and balanced trade off between usability and security. You should require reauthentication before sensitive/money-related application parts are executed, but say for Wikipedia, remember me works perfectly.