php - Login system concept & logic? -

- March 15, 2014

i want know process web apps follow maintain login between multiple requests , how manage things using cookies.

in login form providing "remember me" feature.

when user login check username , password validity database. if valid check if "remember me" selected, if yes storing username , password in session, encrypted format. , storing username , password in session.

when user navigates form 1 page another, first run login check script checks if there value in cookies, validates username , password database, check validity. if there no value in cookie , there value in session, fetching session value dnot checking db.

i not checking session value form db not hit db unnecessarily, speed things. in case of cookies, can modified, check needed.

this concept, right? way go , website slike so, , other works on kind of method?

or websites check login authenticity on each page load, no matters in session or in cookies?

please check , give thoughts , concepts scenario.

thanks!

first, track if logged in. after that, we'll take care of "remember me" feature.

to know if there's logged in, @ $_session array. that's in there because put there before. so, when processing login form, if username & password correct, store username, user id or whatever @ session ($_session['username'] = $username;).

whenever user loads page, check

if (isset($_session['username'])) {     // $_session['username'] logged in } else {     // nobody logged in }

there's no need store password in $_session (in fact, security purposes, it's better not store anywhere except hashed in database).

now, "remember me" feature... first, considerations:

any user can modify browser's cookies, need sure cookie sent application has been not tampered with.
users may check @ public computers (libraries or so), need system invalidate that.
if user logs out of application, cookie remembering him/her must erased.

for first point, imagine on cookie store username of user "remembered" (very insecure!!). means if user creates cookie web application content 'joe', app think user joe remembered in computer grant access attacker if he/she joe. so, need crypt/hash cookie in way.

for second point, invalidating "remember me" @ computers, we'll use password in way. if user wants invalidate computers he/she might have checked "remember me" checkbox, he/she has change his/her password. means if he/she changes his/her password, saved logins his/her account invalidated, same exact reason. better safe sorry...

so, when process login , username , password correct, , "rememeber me" option checked, in addition saving username in session, store hash of username & password (and salt if will) in cookie send user. need store in cookie username in plain text (or crypted in reversable way) know user trying "log in" via cookie, , check hash of username & password in cookie hash of username & password in database. if check correct, store username in session , don't check anymore cookie of user (at least session).

so, overall code might this:

login.php

if (check_login($_post['username'], $_post['password'])) {     // login correct     $_session['username'] = $_post['username'];     if (isset($_post['remember_me'])) {         // hash password because **never** store in plain text anywhere         // when check if cookie value correct, not         // able if hash in cookie done plaintext         // password.         $value = sprintf('%s:%s', $_post['username'], md5($_post['username'].hash_password($_post['password'])));         setcookie('rememberme', $value);     }     redirect('/your/home/page.php'); // view post/redirect/get design pattern } else {     // login incorrect, show error message , whatever... }

at beginning of every php file (or better, in included file bootstrap app)

if (isset($_session['username'])) {     // $_session['username'] logged in, proceed wish } else if (isset($_cookie['rememberme'])) {     // user has checked remember me feature time ago in previous login.     // let's check if valid.     list($username, $hash) = explode(':', $_cookie['rememberme']);      // need password hash stored user (remember **never** store passwords in plain text     $pwd_hash = obtain_password_hash_from_username($username);     if ($hash == sprintf('%s:%s', $username, md5($username.$pwd_hash))) {         // yeah, user remembered correct. we'll save session not shit again         $_session['username'] = $username;     } else {         // cookie value not correct maybe attacker trying fool us,         // or user changed password. whatever is, remove cookie         // because it's no longer valid         setcookie('rememberme', '', time() - 3600);     }  } else {     // user neither logged in nor "remembered" }

the method hash user password you. might plain md5 or sha, salted md5 or sha (better) or time-consuming method blowfish (recommended). hash cookie i've used plain md5, may choose of method described early.

i think that's all.

Search This Blog

Return

php - Login system concept & logic? -

Comments

Post a Comment

Popular posts from this blog

linux - Mailx and Gmail nss config dir -

c# - Is it possible to remove an existing registration from Autofac container builder? -

php - Mysql PK and FK char(36) vs int(10) -