tags:

views:

638

answers:

3
+3  Q: 

Best way for authentication in PHP

Hi Folks,

What's the best and most secure way to go when writing an authentication library in a model-view-controller way?

The things that give me a hard time are keeping track of the users activity and remembering users via a cookie or storing sessions in the database?

Thanks in advance :).

+3  A: 

The simplest way to implement it is with PHP SESSIONS.

just session_start (); near the beginning of your script and you have access to the $_SESSION global array for holding your authentication data.

Depending on the configuration of your server all the data stored in $_SESSION will only be available on the server from which it is hosted (with few exceptions). You can configure it to be saved in a temporary directory, in memcached, or even a database.

The only thing that is transmitted between the client and your server is a "session key". The key can be passed by cookie or URL-rewrites (which are transparently handled by the start_session output buffer).

Nolte Burke  2009-01-24 10:27:32
Cant go wrong with this.
Unkwntech  2009-01-24 10:30:37
Thanks. But how can i keep track of users activity and how can i give users an option to stay logged in for 1 month? Which things should i store in the database, session or cookie? And what's the best way to check if everything is ok?
 2009-01-24 10:31:12
That would be something to explicitly set in a cookie with an additional hash, then in the DB store the IP, if the user logs in from a different ip or the hash in the cookie does not match one in the db then require the user to login again.
Unkwntech  2009-01-24 10:43:21
You can just have a check that invalidates the session after session_start() if a timestamp stored in the session array is beyond a certain age. Then you wouldn't have to deal with cookies at all.
Nolte Burke  2010-10-22 20:35:24
http://www.php.net/manual/en/function.session-set-cookie-params.php
Nolte Burke  2010-10-22 20:36:06
+1  A: 

If you want to use sessions, you have secure them against attacks like session fixation and session hijacking.

To prevent both you have to ensure that only authenticated requests are allowed to use the session. This is commonly done by chaining as many specific (possibly unique) informations about the client as possible with the session. But as some informations may change on every request (like the IP address), it can be difficult to find good one.
This is why it is useful to use the method denoted as Trending.

Another good protection measure is to swap the session ID periodically. Thus the period for an attack on a valid session ID is smaller.

Gumbo  2009-01-24 12:03:20
A: 

Thanks guys.

What about tracking user activity, like when someone is online or watching a specific page? What's the best way to implement that, especially on a big site?

 2009-01-25 01:46:26

related questions

IDE suggestions: Eclipse IDE vs. Zend Studio ( confused )
MySQL/Apache Error in PHP MySQL query
Lightweight IDE for Linux
What PHP framework would you choose for a new application and why?
Why is my ternary expression not working?
How can I get at the matches when using preg_replace in PHP?
Mechanisms for tracking DB schema changes
Wordpress theme development offline tools
Using object property as default for method property
How can I get the authenticated user name under Apache using plain HTTP authentication and PHP?
Make XAMPP/Apache serve file outside of htdocs
How do you debug PHP scripts?
PHP Variables passed by value or by reference?
Best way to implement unit testing in PHP
Connect PHP to an AS/400
Best way to access Exchange using PHP?
PHP Session Security
How do I access a remote form in php?
What's the best way to generate a tag cloud from an array? (using h1 through h6 for sizing)
Apache/PHP: error_log per Virtual Host?
How do I track file downloads with apache/PHP
How would you access Object properties from within an object method?
Flat File Databases in PHP
Best way to allow plugins for a PHP application
Latest information on PHP upcoming releases