tags:

views:

77

answers:

3
+4  Q: 

secure PHP login system?

Hey all,

I've been developing a PHP-based CMS for use on my robotics team's website. Sure, there's plenty of other platforms out there, but what's the fun in that?

In all seriousness, though, we do receive extra points for being able to say that we did more than make a template for Drupal or WP. This is a bit unrelated, but I'd like to be able to release the CMS as FOSS one day, but it will definitely have to mature and be more secure. But I digress.

I've reached the point in developing this system where I need a login system. This has caused more frustration than I expected. I can be meticulous when it comes to security, and this isn't much of an exception. The problem is, I know how to take care of database security (trust no user input, store passwords as a hash with a random salt, etc), but I lack the knowledge to make a good client-server system. A few questions in this regard: How secure would it be to use session variables? How would one implement session variables correctly in this regard? Should the session cookie be regenerated at every pageview? You give up much security when using cookies to keep the user logged in for any amount of time, but what are the best practices for implementing this kind of system?

A good tutorial on this subject would greatly help, also.

Thanks for your time.

A: 

Use some already existing libraries like http://freakauth.4webby.com/
Why reinvent the wheel !

shikhar  2010-08-27 05:49:25
+1  A: 

If you're wanting to actually learn more about the problem/solution, rather than copy/pasting somebody elses code, check out this article.

http://jaspan.com/improved_persistent_login_cookie_best_practice

Excellent resource for persistant cookie management, although doesn't give you the code, it gives you a good grounding/concept to create a more secure login system.

Of course the most secure PHP login system is one that doesn't have persistant login functionality, as user credentials are never stored anywhere apart from the server.

Stoosh  2010-08-27 06:52:49
Wow I read that article and that page is really interesting! +1 By the way, you should point out the actual solution to the problem is near the end, but it's good to read the info before it to understand why it's more secure.
Kranu  2010-08-27 06:59:08
You've just done it for me ;) the first part of the article goes through the basics of an article written elsewhere, and then the person extends on it later in this article.
Stoosh  2010-08-27 07:03:16
+1  A: 

erm, explaining all the issues would fill a good sized book - nevermind solutions to them.

The Readers Digest version of the abridged executive summary of the idiot's guide is:

  • use SSL
  • make sure the secure and httponly flags are set for session cookies (go read up on session hijacking, MITM attacks)
  • regenerate the session id at login (go read up on session fixation) and logout
  • implement an abstraction layer over the authentication and authorization system
  • implement a sperate layer of abstraction over each of these two components
  • do implement a per-page authorization check
  • work out in advance if you need to partition your data in terms of visiblity/access
symcbean  2010-08-27 15:43:54

related questions

What language do you use for Postgresql triggers and stored procedures?
Are Multiple DataContext classes ever appropriate?
Which tools do people use to create Data Dictionaries?
Any experiences with Protocol Buffers?
Mechanisms for tracking DB schema changes
How big can a MySQL database get before performance starts to degrade.
How do I index a database field
How does database indexing work?
How do I connect to a database and loop over a recordset in C#?
Editing database records by multiple users
Object Oriented vs Relational Databases
VFP .NET OLEdb provider does not work in Win 64-Bits. Help
Embedded Database for .net that can run off a network
Connect PHP to an AS/400
Swap unique indexed column values in database.
cx_Oracle - what is the best way to iterate over a result set?
cx_Oracle - How do I access Oracle from Python?
.NET Migrations Engine
Is there a version control system for database structure changes?
SQLite and XSD
How do I version my MS SQL database in SVN?
XSD DataSets and ignoring foreign keys
Flat File Databases in PHP
Throw Error In MySQL Trigger
Binary Data in MySQL