Yep. One in every four posts must be about this topic in this forum, yet I still can't figure this out. I thought I had it after following the wonderful Challenge/Response Tutorial. I implemented this, and it worked very happily. Aside from OOPing it to some extent, I've written almost the exact code he has in that tutorial.
From what I understand, you authenticate the user, and if everything checks out, you set the session variable "Authenticated" to 1. Every page then, you session_start(), and check if Authenticated exists and is equal to 1. The way I understand it is that the server holds a set of session variables that are unique to every session. The server knows which session variables to get based on a value in a cookie that is automagically set by the session_start() function.
So, session variables and cookies work in tandem. Session variables stay on the server, and the server checks the cookies to know which session variables to pull up.
So, that's all well and good (if I'm right in all of the above), until I go about reading a book I bought, Advanced PHP Programming, and read about their User Authentication section. Their implementation doesn't even mention sessions. All it does is work with the cookies. It basically does a bunch of mcrypt functions, and encrypts three values to the cookie: the userID, the version, and the time. If it's more than three minutes it issues a new cookie. If any of these are incorrect, the user gets to log in again. So, it's totally cookie based.
I really hate the latter option if I have to use it. Lots of encryption overhead, the user seems to have to log in more, and I already have the former option implemented. Is my understanding of one or both of these methods flawed? If not, which is more effective? Is it simply a matter of choice?
Thank you very much, and I apologize for adding to the mess of session and cookie related questions in this forum.
Yet another Sessions, Cookies, and Logins post
Moderator: General Moderators
- The_Anomaly
- Forum Contributor
- Posts: 196
- Joined: Fri Aug 08, 2008 4:56 pm
- Location: Tirana, Albania
Re: Yet another Sessions, Cookies, and Logins post
Your understanding of cookies and sessions appears to be solid. (phiew, at last there's someone with a question about sessions, who's bothered to read and grok what's already written!)
Cookie-only login is possible, but I wouldn't personally use encryption for public data as the user_id and the timestamp. An equally good (and faster) alternative will be HMAC for tamperproofness. Note that this doesn't hold true if sensitive data is to be stored in the cookie.
The role of the timeout in this scenario is to prevent replay attacks with old cookies, but three minutes is too low to be practical. Measure the average time a user spends on a page, and multiply by the Skinner's constant.
For non-ultra-high-traffic sites, both solutions are okay. I'd say you stick with what you already have.
Cookie-only login is possible, but I wouldn't personally use encryption for public data as the user_id and the timestamp. An equally good (and faster) alternative will be HMAC for tamperproofness. Note that this doesn't hold true if sensitive data is to be stored in the cookie.
The role of the timeout in this scenario is to prevent replay attacks with old cookies, but three minutes is too low to be practical. Measure the average time a user spends on a page, and multiply by the Skinner's constant.
For non-ultra-high-traffic sites, both solutions are okay. I'd say you stick with what you already have.
- The_Anomaly
- Forum Contributor
- Posts: 196
- Joined: Fri Aug 08, 2008 4:56 pm
- Location: Tirana, Albania
Re: Yet another Sessions, Cookies, and Logins post
Awesome. Thanks for the reply. I wanted someone else's opinion prior to integrating this authentication scheme into my application, so your answer saves me the pains of worrying that I'm doing something the wrong way.
At the end of your post you implied that you'd probably use another method of authentication for an ultra-high traffic site. Partly out of curiosity, and partly because this project might get some significant traffic, what changes would you make? I'm sure handling high traffic is an entire topic in and of itself--but with regard to user authentication, what would be improved?
At the end of your post you implied that you'd probably use another method of authentication for an ultra-high traffic site. Partly out of curiosity, and partly because this project might get some significant traffic, what changes would you make? I'm sure handling high traffic is an entire topic in and of itself--but with regard to user authentication, what would be improved?
Re: Yet another Sessions, Cookies, and Logins post
HMAC signed (and timestamped) cookies
Re: Yet another Sessions, Cookies, and Logins post
does anyone know when the exact time to choose using session or cookies?