Whats the standard secure way of logging people in?

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
munkifisht
Forum Newbie
Posts: 14
Joined: Wed Oct 11, 2006 9:15 am

Whats the standard secure way of logging people in?

Post by munkifisht »

I am creating a login feature, and I was wondering what is considered the standard way of securying your site in relation to this? I was looking at cookies, would this be the way to go. I'm a total newb, so any advice on this is great
User avatar
DaveTheAve
Forum Contributor
Posts: 385
Joined: Tue Oct 03, 2006 2:25 pm
Location: 127.0.0.1
Contact:

Post by DaveTheAve »

Most people use Session variables to know the person is logged-in. Using this method we don't have to worry about people hacking the cookies and pretending to be other people or have a trillion dollars in their account. I'd look into $_SESSION vars in the PHP Manual. This should get your feet wet, remember to use start_session();!
pwd
Forum Newbie
Posts: 2
Joined: Wed Nov 01, 2006 8:26 am

Re: Whats the standard secure way of logging people in?

Post by pwd »

munkifisht wrote:I am creating a login feature, and I was wondering what is considered the standard way of securying your site in relation to this? I was looking at cookies, would this be the way to go. I'm a total newb, so any advice on this is great
Using session is good, but maybe not enough. If you are afraid of your security - use https with sessions for storing login data.
Z3RO21
Forum Contributor
Posts: 130
Joined: Thu Aug 17, 2006 8:59 am

Post by Z3RO21 »

What I do is when a user logs in it first checks to see if the login information is infact correct. If it is then it will generate a random session key and with the use of a database store information such as user name, user id, the session key, ect. Then I will set a session variable such as $_SESSION['sid'] equal to the key, and then when I want to do anything with user permision and the like I can just use the session key as a reference to the information in the database where users have no access.

And I also give the users no direct contact with their database entry and it is constantly checked for activness (3 minut timeout limit) and also that it match the IP that created it.
User avatar
Buddha443556
Forum Regular
Posts: 873
Joined: Fri Mar 19, 2004 1:51 pm

Post by Buddha443556 »

Z3RO21 wrote:Then I will set a session variable such as $_SESSION['sid'] equal to the key, and then when I want to do anything with user permision and the like I can just use the session key as a reference to the information in the database where users have no access.
The user shouldn't (unless your situation is unusual) have access to $_SESSION therefore you might consider storing some of that commonly needed data in $_SESSION. This might eliminate some database queries.

You should also use (maybe you do but you don't mention it) session_regenerate_id() when logging in users to help reduce the risk of session fixation.
I am creating a login feature, and I was wondering what is considered the standard way of securying your site in relation to this? I was looking at cookies, would this be the way to go.
Suggest you do some reading at http://phpsec.org/ before you worry about cookies.
munkifisht
Forum Newbie
Posts: 14
Joined: Wed Oct 11, 2006 9:15 am

Post by munkifisht »

thanks all. That answers my Qs
Post Reply