User System Methods

Question

I don't know if this question has been asked before, but I'll go through with it.

If you were to make a system in PHP that allows users to register and login - including user levels. How entirely would you create this system. Remind yourself about sessions, what exactly is the best method you would do when being careful with sessions - this I mean by session hijacking when including passwords (hashed of course), user level, and so on. I find myself when coding a user login system, it's a bad method when using sessions to show modules, like this:

if(isset($_SESSION['user']) && isset($_SESSION['user_level']))
{
    if($_SESSION['user_level'] == 3)
    {
        // show admin tools
    }
    elseif($_SESSION['user_level'] == 2)
    {
        // show moderator tools
    }
}

I even used something like this:

if(isset($_SESSION['user']) && !empty($_SESSION['user']))
{
    $sql = "SELECT user_id, username, user_level
            FROM members
            WHERE username = '" . $_SESSION['user'] . "'";

    $result = mysql_query($sql) or die(mysql_error());

    if(mysql_num_rows($result) == 1)
    {
        while($row = mysql_fetch_array($result))
        {
            $uid = $row['user_id'];
            $u_name = $row['username'];
            $u_level = $row['user_level'];
        }
    }
}

So when I use something like this:

if($u_level == 3)
{
    // show admin tools
}

Would be a better example wouldn't it be?

Answer 1

That's basically bad. Here's what I do:

I set a random session id (sessionid) in the $_COOKIE[] array. I use cookie because I use ajax with php, which (i feel) makes things a little easier for me. Feel free to use $_SESSION.

Then there's a table in my database that tells me:

1. Does this session exist?
2. when did this session start?
3. when did this session last talk to the server?
4. which user does this session belong to?
5. which IP address is this session bound to?

The users table tells me the user level of the user.

Remember: Anything that you get from $_COOKIE is never 100% trustworthy. So never put sensitive information into them. Examples of what not to put in these variables:

1. userid -- the internal id that you use for the user (unless it is meant for the public, like the SO userid)
2. user previleges/permissions
3. other session information like last activity time or the login time

Hope this helps,
jrh

Answer 2

Introduction

I personally would not try implementing a login system(a lot can go wrong with security). A lot of smart minds have put there knowledge together to specify a secure login(open-source) system. If you still would like to know how to implement such a system safely I would advise you to look at the OpenID, OAuth specification and implemention in your language.

1. Authentication (login): OpenID
2. Authorization (authorize permissions): OAuth

Quote from YAHOO

While Yahoo! uses OpenID as a mechanism for authenticating users, Yahoo! also uses OAuth for authorizing permission to potentially sensitive user data.

Authentication

Quote from OpenID

Can't remember your passwords? Tired of filling out registration forms? OpenID is a safe, faster, and easier way to log in to web sites.

I would personally use an OpenID-consumer library instead of creating one from scratch(I tried to do this and there are a lot of ins/out).

Just like Stackoverflow you would then be able to login using an OpenID. That way you don't have to store the passwords in your database yourself which is a lot saver in my opinion.

Source of information:

• OpenID Bootcamp tutorial
• A Recipe for OpenID-Enabling Your Site
• OpenID Libraries

Authorization

You could use OAuth for authorization(permissions)

Quote from OAuth site

An open protocol to allow secure API authorization in a simple and standard method from desktop and web applications.