 RoundboyPremium
join:2000-10-04
Drexel Hill, PA | Verifying login credentials via php Just wanted to get a discussion going to get some new ideas. I am redesigning my site (again) and ever strive to use a modular desgin.
I have the password / username check down pat, but I am curious how everyone easily protects each page..
Currently.. I call a function on each protected page... that function checks the database with the current user cookie, etc and returns a true or false.
if false.. the function gives a die() with my appropriate content for failure displayed. otherwise it displays normally..
is this basically how everyone does it ?
--
Girls are like internet domain names, all the good ones are already taken - Unless you get one from a strange country
I dont know the difference between games and reality anymore ...I just used a shotgun on my mother and she's not respawnin |
|
|
|
 SeandhiSeeing From a New LevelPremium
join:2003-04-19
Humble, TX | How about this?
if(!isset($_COOKIE[validated]) || $_COOKIE[sessID] != $_SESSION[sessID]){
header("Location: http://www.disney.com");}
I guess it works... I use it for one of our quote systems here. We aren't too worried about invaders or hackers as only a small number of our clients use the site.
--
Do you really think that your representatives are representing you? Vote for the American People, vote Libertarian.»www.lp.org |
|
RoundboyPremium
join:2000-10-04
Drexel Hill, PA | if I read that correctly.. on proper login they get the 'validated' cookie..
and you then check for:
1) the presence of that cookie
2) if the session id in the cookie matches the current session
is the cookie you are storing the session in an 'older' cookie or one that is also set at login time? I don't really get that logic..
if its old.. the session id will not match, if its new.. of course it will match? can you explain the logic behind it ?
--
Girls are like internet domain names, all the good ones are already taken - Unless you get one from a strange country
I dont know the difference between games and reality anymore ...I just used a shotgun on my mother and she's not respawnin |
|
SeandhiSeeing From a New LevelPremium
join:2003-04-19
Humble, TX | Actually, upon actually looking at my code:
if(!isset($_COOKIE[UserID]){
header("Location: /index.php?stage=login");}
On login the cookie is set by pulling the UserID that matches the username/password supplied. The cookie is set to expire in 8 hours.
This way the users of our system do not have to login more than 2 or 3 times a day. When the user goes to the login page, he is redirected to his home page if the cookie is set. Or if he goes directly to any page in the site, he is not required to login. Otherwise, the user is sent to the login screen.
Like I said, the security isn't a huge issue, as this is a private site with little precious data... The only thing we have to worry about is our competitor getting our prices which they could get any other way. This just adds a little layer of security that most normal users won't get through.
--
Do you really think that your representatives are representing you? Vote for the American People, vote Libertarian.»www.lp.org |
|
 justinAustralian
join:1999-05-28
New York, NY
kudos:7
IPv6
Business Connectiv..
Console/Handheld g..
Home/Office setup ..
Photos of Broadban..
| reply to Roundboy
said by Roundboy:
Currently.. I call a function on each protected page... that function checks the database with the current user cookie, etc and returns a true or false.
if false.. the function gives a die() with my appropriate content for failure displayed. otherwise it displays normally..
The cookie contents is just a number or string, that refers to an internal record, right? no info in it that a user could manipulate or derive insights from?
Things to think about..
Does your end of things keep track of the creation date of the cookie and auto-expire old ones?
If a cookie is not valid or has expired, why not redirect them to your login page, with the URL of the original target page saved in an arg to the login page, so after they login, they will be taken back to where they were trying to go?
Can a user login an infinite number of times?
Do you want to auto-extend the life of a cookie on your side, if someone keeps using the site, and auto-expire it, if they pause for N hours? (the browser lifetime will have to be high, though, to stop the browser chucking the cookie)
Do you want some function on your side or for the user to kill all active cookies (trivially done on your side by deleting rows) other than the one they are currently using?
If you do delete/expire cookie handles on your side, by deleting rows, rather than keeping all generated for all time, is there basically zero chance an old cookie that someone has in their browser, might accidently resolve to a new cookie created for the use of someone else? Ie, is the cookie space sparse enough that this is an incredibly unlikely coincidence?
Do you want to create a second cookie that does not expire, that merely holds the users uid, so that the login name field can be auto-filled by you for them even if they "logout"?
just some issues I've had, over the years  |
|
 sporkmedrop the crantini and move it, sisterPremium,MVM
join:2000-07-01
Morristown, NJ
 ·Optimum Online
| reply to Roundboy
I think I'm doing it right, I just use php's session handling stuff.
On successful login (checked via a lookup in mysql) I start a session that has all the user's details in the session array (user, email, valid). On each page, I do something like this:
// register the session for login checking
session_register();
include 'include/common.php';
// we will be messing with headers for redirects and cookies, so NO
// OUTPUT until the end of this "if posted" statement
// verify that the user has logged in - if not, ditch
if (!check_login()) {
print "You are not logged in or your session has timed-out, please <a hr
ef='login.php'>click here</a> to log in.";
exit;
}
check_login() just does this:
// login checker
function check_login() {
session_register("valid");
if ($_SESSION["valid"] == "y") {
return "1";
} else {
return "0";
}
I know it works, I don't know how foolproof it is... After reading up on PHP sessions for doing this, I came to the conclusion that it's not the best thing to do, but it's how everyone does it.
As for timeouts, on the login page (where the session is first registered) you can set the timeout:
// set the cookie lifetime here
session_set_cookie_params(10800);
session_start();
I'd love some feedback, especially regarding general PHP session handling and how someone can try to break it.
--
just a minute |
|
justinAustralian
join:1999-05-28
New York, NY
kudos:7 Host:
IPv6
Business Connectiv..
Console/Handheld g..
Home/Office setup ..
Photos of Broadban..
| right, the timeout is set in the cookie, so it relies on the browser to remove the cookie. Can the user also request a session-only cookie?
How would you remove someones active session? or session(s)? must be a delete from a table(?) on your side, right? are session rows cleaned automatically somehow by php as well or do they just accumulate but an expiry field invalidates old ones? |
|
sporkmedrop the crantini and move it, sisterPremium,MVM
join:2000-07-01
Morristown, NJ Reviews:
·Optimum Online
| said by justin:
right, the timeout is set in the cookie, so it relies on the browser to remove the cookie. Can the user also request a session-only cookie?
I'm not sure I follow, as I don't really understand the whole ins and outs of cookies. If php has a way to set a "session-only" cookie, then yes, but I'd have to move my session initiation somewhere else within the code.
said by justin:
How would you remove someones active session? or session(s)? must be a delete from a table(?) on your side, right? are session rows cleaned automatically somehow by php as well or do they just accumulate but an expiry field invalidates old ones?
By default, php stores session info in files in /tmp. ie: /tmp/sess_0e35fe211560855ee47a5c1b44128f9c. But you can also have it store the session info in a database.
So if you wanted to delete it, you have a number of options:
-call session_destroy() in your code
-remove the temp file or db entry
-???
It does it's own cleanup on either, which is handy.
The cookie stuff is all abstracted into php's session handling, so it's pretty easy to work with. Once you've registered a session, you can set variables that presumably are stored in the cookie like so:
$_SESSION['valid']="y";
$_SESSION['username']="$username";
$_SESSION['last_visit']="$last_visit";
I assume it would be easy to encrypt that info so that if the user looks at/modifies their cookies your application would be protected.
--
just a minute |
|
justinAustralian
join:1999-05-28
New York, NY
kudos:7 | I think (hope) those variables are stored server-side .. in the file in /tmp, not in the users cookie, which should always just be a handle.. |
|
sporkmedrop the crantini and move it, sisterPremium,MVM
join:2000-07-01
Morristown, NJ Reviews:
·Optimum Online
| said by justin:
I think (hope) those variables are stored server-side .. in the file in /tmp, not in the users cookie, which should always just be a handle..
I'd assume so. Are there any browsers you know of that let you look at current cookies and their contents (non-windows)?
--
just a minute |
|
justinAustralian
join:1999-05-28
New York, NY
kudos:7 | if you set firebird cookie prefs to prompt, it tells you everything about the cookie including contents, IIRC |
|
SeandhiSeeing From a New LevelPremium
join:2003-04-19
Humble, TX | reply to sporkme
In IE you can view the contents of cookies. |
|
RoundboyPremium
join:2000-10-04
Drexel Hill, PA | reply to justin
is it really required to manually delete all sessions, cookies, etc?
I have created a system that basically:
Allows you to pick a 15 day cookie or single session login
even if you pick a cookie, the session is created from that cookie. All authenication checks work from the cookie
This was needed because cookies were expiring for people in mid session (i.e. while posting to a forum)
my 'logout' page expired all cookies and destroyed all sessions.
Now.. as I type this, I see the error in doing it this way (funny how it hits you). If the cookie is gotten by other people, you are able to login as that person.
I should in fact:
create a database table to hold login info, and store the primary key in the cookie. All cookie reads at the site check this database for it being valid? *don't* use the exire value of the cookie ?
I assume a cron job deletes old records in the background ?
This is exactly the type of info I was looking for.. 'secure' security.. i did realize that the places I learned php (phpbuilder, zend, etc) were giving the 'easiest for the masses' examples.. not good real world authentication.
keep the posts coming folks!
--
Girls are like internet domain names, all the good ones are already taken - Unless you get one from a strange country
I dont know the difference between games and reality anymore ...I just used a shotgun on my mother and she's not respawnin |
|
RoundboyPremium
join:2000-10-04
Drexel Hill, PA | reply to sporkme
you know whats really scary?
I also have a 'common.php'
and it also holds my check_login() function.
Your comment and code layout also resembles my own!
At first glance, I thought you were somehow posting my code... |
|
RoundboyPremium
join:2000-10-04
Drexel Hill, PA | reply to justin
said by justin:
I think (hope) those variables are stored server-side .. in the file in /tmp, not in the users cookie, which should always just be a handle..
Justin, are you asking about how php does this.. or teaching via questions ?
by default, php stores session info in the server's /tmp dir, but this is easily changed via the ini file.
this info can be gotten by the session functions and stored, and later used to call a delete..
but this is a moot point unless you own the php install on that server.. security on shared hosts is good for keeping out the casual door knob turners.. not the ones with lockpicks...
--
Girls are like internet domain names, all the good ones are already taken - Unless you get one from a strange country
I dont know the difference between games and reality anymore ...I just used a shotgun on my mother and she's not respawnin |
|
RoundboyPremium
join:2000-10-04
Drexel Hill, PA | reply to Roundboy
Justin, et all,
Can you reccomend any internet reading on concepts for a robust user authentication method?
It doesn't really need to be php specify, because I can code the concept as php.. but all reading I do is for very specific, custom applications and not adaptable.. orthey are basic 'user name in a cookie' solutions, which i have already, and want to avoid.
Basically.. the 'over the years' experience you have isn't ever documented by anyone..
--
Girls are like internet domain names, all the good ones are already taken - Unless you get one from a strange country
I dont know the difference between games and reality anymore ...I just used a shotgun on my mother and she's not respawnin |
|
justinAustralian
join:1999-05-28
New York, NY
kudos:7 Host:
IPv6
Business Connectiv..
Console/Handheld g..
Home/Office setup ..
Photos of Broadban..
2 edits | I found this: »cookies.lcs.mit.edu/pubs/webauth:tr.pdf
looks ok.
edit: ok I take it back, it was a very interesting read. These guys were the ones to get google to discover they were indexing and caching cookies.txt on idiots PCs and they busted the wsj.com authentication scheme and the fools at ign/snowball (not that it seems they HAD any kind of scheme, back in 2001 when the paper was written). Read it!! |
|
RoundboyPremium
join:2000-10-04
Drexel Hill, PA | yes!
this is what i was talking about.. many of the security schemes i found examples for that the 'experts' wrote were very bad.
one relied on a 'secret hash' put in a common.php file.. or hardcoded into the script..
excellent reading... |
|
 orinocoAre You Sirius?Premium
join:2003-06-29
irrelevant | reply to justin
said by justin:
I think (hope) those variables are stored server-side .. in the file in /tmp, not in the users cookie, which should always just be a handle..
PHP serializes the $_SESSION array into the /tmp/sessionid file. The only data in the cookie is the sessionid (handle).
PHP does session cleanups automatically. If you create your own session handlers via session_set_save_handler(), you create a gc (garbage collection) function to delete expired sessions.
PHP's sessions work fine for non-persistant visits, but don't work for multiple-visit instances. That's where you have to roll your own.
--
___________________________
And that's the bottom line. |
|
orinocoAre You Sirius?Premium
join:2003-06-29
irrelevant | reply to Roundboy
said by Roundboy:
create a database table to hold login info, and store the primary key in the cookie. All cookie reads at the site check this database for it being valid? *don't* use the exire value of the cookie?
You could generate a hash based on a combination of the user's PK, username, etc, but that will only guarantee it unique. It still allows a person to hi-jack the session by stealing the cookie.
If you create your own PHP session functions, you can set the garbage collection to as long as you wish - 1 day, 1 week, etc.
--
___________________________
And that's the bottom line. |
|
