"School Me on Secure Login (PHP, of course)" Wed Aug-27-08 06:37 AM by alexthezombie
Okay so I'm trying to make my login script a tad more secure then just setting cookies and calling it a day.
I've been looking at using SESSIONS (the way I should have been doing it from the beginning), but I'm unclear on the difference between SESSIONs and COOKIEs as far as security.
Also, I mean, should my script just poll the database for an entry with a matching email, check the password and then set the session values??
Oh and as for storing password... MD5 encryption the way to go?
1. "RE: School Me on Secure Login (PHP, of course)" In response to Reply # 0
I'm no PHP expert, but I do have some experience with it.
I believe that the difference between sessions and cookies is that seesions are stored on the server, and cookies are stored on the user's machine.
"Also, I mean, should my script just poll the database for an entry with a matching email, check the password and then set the session values??" --Yes
"Oh and as for storing password... MD5 encryption the way to go?" --I've used SHA1 (http://us3.php.net/sha1). Not sure if one is better than the other.
----------------------------- There is no such thing as coincidence, just the illusion of coincidence itself.
2. "I think generally you assign the user a session ID when they login" In response to Reply # 0
they pass this ID to the server on every page load (either via a cookie, a querystring parameter, or some other means). The session ID is used to lookup the user's info on the server side. This way, you're not passing around sensitive info on ever page load. You're just passing around an ID which is generally just a random number.
I'd be shocked if there weren't some PHP libs that handled all the heavy lifting for you. Back in my perl days I just used a module to implement the majority of this.
------------------------------------- <--- Stop being such an Internet troll, Nopayne
3. "fam you need to just buy a good book on php..." In response to Reply # 0
>I've been looking at using SESSIONS (the way I should have >been doing it from the beginning), but I'm unclear on the >difference between SESSIONs and COOKIEs as far as security.
Sessions and cookies should work in conjunction. Generally, you would authenticate the username and password, then generate a session id, and then pass that session id back and forth in the HTTP cookie.
>Also, I mean, should my script just poll the database for an >entry with a matching email, check the password and then set >the session values??
more or less, yeah.
>Oh and as for storing password... MD5 encryption the way to >go?
Not by itself. MD5 is no longer considered secure. You should add a salt or use some other method to strengthen whatever hash you use.
I don't normally get stuck with PHP. The code isn't my issue, it's the methodology, I guess.
Like I think I'm always looking to try and find unreasonable solutions (like a way to run a query on a 10 million-entry table without a hiccup without upgrading hardware).
Like.. I have ideas that I can't seem to find any precedent for via Google or official documentation that I need to work out before I try it out.
For example: On my own server, just to try it out, I wanted a database of MP3s and instead of storing the MP3s, I stored the file contents as a string, stored in the database. When you wanted to download it, the string was called and output with the correct headers. Was cool. But wouldn't for for a large library.
That's the type of shit I would/should ask around about before trying.
10. "I understand..." In response to Reply # 9 Wed Aug-27-08 03:33 PM by Triptych
Just starting out I was in your same boat.
I'll just say that it's much, much rarer than you think that you'll come up with a problem that isn't already very well studied in computer programming.
you'll really just need to learn for the right things to search for, and that will probably just come with experience.
For instance, for something I'm working on now I might search for "Python dynamic object composition" or "Python metaprogramming". But to even search for that I need to have a pretty good understanding of the problem I'm trying to solve AND a good knowledge of how that problem is described in the programming community.
I'll recommend you pick up the O'Reilly PHP Cookbook. And just read it, like cover to cover pretty much.
It should be a decent introduction to doing things the right way in PHP, as well as a good introduction to the topics and basic methodologies in web programming, regardless of language.
4. "Is this a secure method?" In response to Reply # 0
Heh, I was doing more digging around and I'm using this for my encryption
md5(sha1($password));
Good luck cracking that shit LOL. While looking around, I found that people were even going all kinds of crazy by having it re-encrypt itself like 100 times over. Kind of extreme.
But as for making the user data available to the pages & scripts, I'm not seeing any other way then to define each of the needed variables as a SESSION variable.
One way I'm thinking of doing it is like this: On login success, the data entry updates itself with a fresh session ID code and then all that would be stored in SESSION is that ID. And then on every page (in the header) having the information loaded in to an array by polling the database for an entry with the matching SESSION ID.
My only gripe with that method is it seems like I have to do a database query on every page, which may be fine for now, but I'm thinking scalability. When I have like 1000s of pages being loaded a second by different people, is it gonna hurt my database to be running a query at the top of every page like that?
It seems like it'd be easier to just load up the basic info (user name, shopping cart contents, and avatar url)
Thoughts? I really appreciate everyone's input and help.
So I'm doing a final recode before launching this mutha and I'm now trying to convert my COOKIE system to SESSION. Problem is, my SESSION variables are not sticking. Thoughts?
13. "I'm not THAT stupid" In response to Reply # 12 Mon Sep-08-08 08:45 PM by alexthezombie
I did use session_start()
This is how I'm testing. I'm starting the session and then setting a few variables, and loading the script.
Then I got another script that should be showing me my session variables, using print_r.
I DID get a book. Two, actually (one on PHP 5 and another on PHP 6). I have yet to find anything new. All the Googling in the world is telling me I'm doing the SESSION correctly, but it's just not working. The SESSION cookie is setting just fine, but nothing else.