Page 1 of 1

Whats the standard secure way of logging people in?

Posted: Tue Oct 24, 2006 2:47 pm
by munkifisht
I am creating a login feature, and I was wondering what is considered the standard way of securying your site in relation to this? I was looking at cookies, would this be the way to go. I'm a total newb, so any advice on this is great

Posted: Tue Oct 31, 2006 9:13 pm
by DaveTheAve
Most people use Session variables to know the person is logged-in. Using this method we don't have to worry about people hacking the cookies and pretending to be other people or have a trillion dollars in their account. I'd look into $_SESSION vars in the PHP Manual. This should get your feet wet, remember to use start_session();!

Re: Whats the standard secure way of logging people in?

Posted: Wed Nov 01, 2006 8:47 am
by pwd
munkifisht wrote:I am creating a login feature, and I was wondering what is considered the standard way of securying your site in relation to this? I was looking at cookies, would this be the way to go. I'm a total newb, so any advice on this is great
Using session is good, but maybe not enough. If you are afraid of your security - use https with sessions for storing login data.

Posted: Thu Nov 02, 2006 6:23 pm
by Z3RO21
What I do is when a user logs in it first checks to see if the login information is infact correct. If it is then it will generate a random session key and with the use of a database store information such as user name, user id, the session key, ect. Then I will set a session variable such as $_SESSION['sid'] equal to the key, and then when I want to do anything with user permision and the like I can just use the session key as a reference to the information in the database where users have no access.

And I also give the users no direct contact with their database entry and it is constantly checked for activness (3 minut timeout limit) and also that it match the IP that created it.

Posted: Thu Nov 02, 2006 7:28 pm
by Buddha443556
Z3RO21 wrote:Then I will set a session variable such as $_SESSION['sid'] equal to the key, and then when I want to do anything with user permision and the like I can just use the session key as a reference to the information in the database where users have no access.
The user shouldn't (unless your situation is unusual) have access to $_SESSION therefore you might consider storing some of that commonly needed data in $_SESSION. This might eliminate some database queries.

You should also use (maybe you do but you don't mention it) session_regenerate_id() when logging in users to help reduce the risk of session fixation.
I am creating a login feature, and I was wondering what is considered the standard way of securying your site in relation to this? I was looking at cookies, would this be the way to go.
Suggest you do some reading at http://phpsec.org/ before you worry about cookies.

Posted: Fri Nov 03, 2006 8:49 am
by munkifisht
thanks all. That answers my Qs