Logging in
- Table: USERTABLE
Fields- USERNAME
PASSWORD
(and others)
- USERNAME
- Select records from USERTABLE where USERNAME = $username
If record doesn’t exist then- Warn user of incorrect login information
Return to login page
- If PASSWORD doesn’t match $password then
- If LOGIN_ATTEMPTS > 2 (three or more) then
- Lock account
Warn user that account is locked and to contact customer service
Redirect to login page
Increment LOGIN_ATTEMPTS by 1
Return to login page - Lock account
- Create new session (createSession())
Set LOGIN_ATTEMPTS back to 0
redirect to proper page
- If LOGIN_ATTEMPTS > 2 (three or more) then
- Warn user of incorrect login information
•The passwords are stored by hashing the user’s password with a 6 character random string to help prevent dictionary attacks
•When the users account is locked, the word “LOCKED” is placed in their password field. It is impossible for an attacker to provide a password that will hash to the word “LOCKED”, so this effectively locks the account.
Creating new sessions
- Table: SESSIONS
Fields- USERNAME – primary key
PASSWORD
SESSION
COOKIE
IP
TIMESTAMP
- USERNAME – primary key
- Delete any sessions with username = $username
Insert new session information:- USERNAME = $username
PASSWORD = $password (sha1 hashed)
SESSION = session_id() //PHP function
COOKIE = md5(username + timestamp) // also set on user’s machine
IP = getenv(‘REMOTE_ADDR’) //user’s current IP address
TIMESTAMP = time session is created (for timeout purposes)
- USERNAME = $username
Checking for valid session (every required page)
Function checkSession()
- Select all records in SESSION table where:
- USERNAME = the SESSION username ($_SESSION[“username”])
PASSWORD = the SESSION password ($_SESSION[“password”])
SESSION = session_id()
IP = user’s IP address (getenv(‘REMOTE_ADDR’))
- destroy any existing session variables
redirect to login page.
- If session record (USERNAME, PASSWORD) doesn't match what is in USERTABLE then
- delete session information from database
destroy session variables
redirect to login page.
- delete session information from database
destroy session variables
redirect to login page.
Let user know their session timed out.
- Delete session information from database
Destroy session variables
Redirect to login page
- If COOKIE doesn’t match user’s cookie then
- Delete session information from database
Destroy session variables
Redirect to login page
- Delete session information from database
- delete session information from database
- USERNAME = the SESSION username ($_SESSION[“username”])
Thanks for your help!