views:

638

answers:

3

Hi Folks,

What's the best and most secure way to go when writing an authentication library in a model-view-controller way?

The things that give me a hard time are keeping track of the users activity and remembering users via a cookie or storing sessions in the database?

Thanks in advance :).

+3  A: 

The simplest way to implement it is with PHP SESSIONS.

just session_start (); near the beginning of your script and you have access to the $_SESSION global array for holding your authentication data.

Depending on the configuration of your server all the data stored in $_SESSION will only be available on the server from which it is hosted (with few exceptions). You can configure it to be saved in a temporary directory, in memcached, or even a database.

The only thing that is transmitted between the client and your server is a "session key". The key can be passed by cookie or URL-rewrites (which are transparently handled by the start_session output buffer).

Nolte Burke
Cant go wrong with this.
Unkwntech
Thanks. But how can i keep track of users activity and how can i give users an option to stay logged in for 1 month? Which things should i store in the database, session or cookie? And what's the best way to check if everything is ok?
That would be something to explicitly set in a cookie with an additional hash, then in the DB store the IP, if the user logs in from a different ip or the hash in the cookie does not match one in the db then require the user to login again.
Unkwntech
You can just have a check that invalidates the session after session_start() if a timestamp stored in the session array is beyond a certain age. Then you wouldn't have to deal with cookies at all.
Nolte Burke
http://www.php.net/manual/en/function.session-set-cookie-params.php
Nolte Burke
+1  A: 

If you want to use sessions, you have secure them against attacks like session fixation and session hijacking.

To prevent both you have to ensure that only authenticated requests are allowed to use the session. This is commonly done by chaining as many specific (possibly unique) informations about the client as possible with the session. But as some informations may change on every request (like the IP address), it can be difficult to find good one.
This is why it is useful to use the method denoted as Trending.

Another good protection measure is to swap the session ID periodically. Thus the period for an attack on a valid session ID is smaller.

Gumbo
A: 

Thanks guys.

What about tracking user activity, like when someone is online or watching a specific page? What's the best way to implement that, especially on a big site?