views:

96

answers:

3

I am always wondering that the login systems I have created is vulnerable to attacks or not.

As many other programmers I also use sessions to hold a specific token token to know the login status. Cookies to hold the username or even sometime saved status.

What I am wondering is, Is this the right way? Is there any approach better than this?

A: 

I think it matters whether you're using https: if you're using http instead of https, then the system has many vulnerabilities: e.g. replay, and man-in-the-middle/relay.

ChrisW
A: 

An alternative to the common PHP login systems is HTTP authentication. This doesn't require the use of sessions/cookies. Especially the HTTP Digest authentication is more secure than unencrypted <form> logins. (Most shared hosting providers don't provide SSL. And if, most FLOSS webapps rarely set it up.)

However, there are some usability drawbacks, which can only be alleviated by heavy DHTML/AJAX use. And it drains server performance a little. And most important: it's too difficult to implement right for most programmers.

If a simple PHP login system is sufficient, depends on the type of your application.

mario
But isn't HTTP authentication buggy is some browsers.
Starx
No, it isn't, really. It's quite an old feature.However, it shouldn't really be used for anything unless you absolutely have to.
Arda Xi
+1  A: 

You could create your own custom checks on the session. Make sure it's created by the same user agent and from the same IP address.

Other than that, sessions are pretty solid.

In the login section, you would do something like:

$_SESSION['_user_agent'] = $_SERVER['HTTP_USER_AGENT'];
$_SESSION['_remote_addr'] = $_SERVER['REMOTE_ADDR'];

and then you can do a check in every request:

function sessionIsOK ()
{
    return ($_SESSION['_user_agent'] == $_SERVER['HTTP_USER_AGENT'] &&
        $_SESSION['_remote_addr'] == $_SERVER['REMOTE_ADDR']);
}
arnorhs
+1, the User-Agent check makes sense. However, the remote IP address isn't that reliable. Occasionally users sit behind proxy clusters, where the accessing IP varies from request to request. (best example: AOL users).
mario
I didn't know about that. I actually thought all IPs were pretty steady unless the connection would get lost.
arnorhs