Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 6 of 6

Thread: User Login

  1. #1
    Regular Coder
    Join Date
    Mar 2006
    Posts
    187
    Thanks
    5
    Thanked 0 Times in 0 Posts

    User Login

    What is the most secure way of Logging a user in? ie, i would have stored their user id in a session var, apparently that is not secure if using a shared server.

    What about storing a user id in a sesion var, and also in a "logged in" table, with a date and ipaddress?
    Last edited by phill_ridout; 07-26-2007 at 09:03 PM.

  • #2
    Senior Coder timgolding's Avatar
    Join Date
    Aug 2006
    Location
    Southampton
    Posts
    1,519
    Thanks
    114
    Thanked 110 Times in 109 Posts
    Using session vars is possible. although on shared servers it is possible other users could read private session keys from the server. If you are with a shared host you can check with your host what protection they have againstg session impersination. Using IPs is not really a secure way. specially when some ISPs issue IPs dynamically.

    There are a great many security issues you have to think about when desinging any application that requires exchange of data. heres a quick list of the security issues then ill explain some measures you will need to consider.

    1. Confidentiality of personal data
    You cant store passwords as plain text as this would be breaching data protection act laws.

    2. SQL injections
    when an SQL query to a database is data that comes from the user it is possible the user can change the data and add commands that will change the query. The query could be made to drop tables or other malicious things.

    PHP Code:
    $query ="SELECT * FROM users WHERE user='%s' AND password='%s'" 
    3 PHP injections
    This is when the user predefines variables used in the php. Therefore if you were testing against a variable say for instance if
    PHP Code:
    $login=true
    then the user could define login to true at the begining. Using session is one way to protect against this also always define your variables
    PHP Code:
     $login=false 
    that ways even if the use did set it you can overide it.

    4 Line in
    If the hacker had a pysical line into the transmitons medium. This is unlikely! SSL is a way to secure against this ans should always be considered for transmission of sensitive data. Any banking transactions should always be SSL


    Your gonna need access to your database so that when a user posts there user details you have a data source to authenticate against. The script will authenticate by connecting to the databse through a users account

    PHP Code:
    $link mysql_connect('localhost''mysql_user''mysql_password');
    if (!
    $link) {
        die(
    'Could not connect: ' mysql_error());
    }
    echo 
    'Connected successfully';
    mysql_close($link); 
    Make sure you do not give the user more privalleges than it needs if it does not need to drop, create tables then it should not have access to. The first paremeter in this function is the location from where the connection is made
    Code:
    "hostname:port".
    Unless you require access from a script on another domain this should be set to localhost.

    When using SQL you need to make sure you real escape your querys this will prevent a sql injection Check http://php.net for hints on using real escapes.

    PHP Code:
    $query sprintf("SELECT * FROM users WHERE user='%s' AND password='%s'",
                
    mysql_real_escape_string($user), 
    A case where you do not need to escape is when you are about to compare the UI (User Input) with a database through MD5 hashes, infact if you do, the password stored in the database will not match the one in the request.

    ludvig dot ericson at gmail dot com - @ http://php.net
    Probably the securest way to authenticate is through SSL digital certificats. These communications are encrypted with a key. Data going to and from an SSL server is encrypted. Therefore anyone able to spy on the data only sees the encrypted unreadable data. Basically the data is encrypted with a key that sites with client and the server. Therefore the only way in for a hacker is if they could get the key. However you do have to pay for SSL certifiactes. You have to pay for a key to be registerd to your domain. SSL should always be considered when sensitive data is sent such as credit card details.

    Although this is the one of the securest methods of authentication if you only require to have a secure log in systems and that dont access sensitive data then you can use hashing algorithems. sha1 hashing is supported in php and is good for most login systems. Basically hashing involves applying a mathmatical algorithm to the data which is unreversable. It is therefore not usefull for two way communication but can be helpfull to store passwords. Basicially the password is still sent in an text format so anyone can read it if they have a line in. But is hashed before it is stored in the databse and is hased before it is authenticated. But if a hacker somehow gained acces to your database the users passwords would be useless to them. Also you do not breach the data protection act by storing sensitive passwords in text format. for a good guide to hashing refer to http://forums.devnetwork.net/viewtop...782&highlight=

    PHP Code:
     if (sha1(salt+$_POST["password"])==sha1(salt+$row['password']))
    {
     echo (
    "logged in");

    When you have authenticated you can use session variables to keep the identification going. I usually use flags to set user classes

    PHP Code:
    if (sha1(salt+$_POST["password"))==sha1(salt+$row['password']))
    {
      
    $_SESSION['loggedin']=true;

    for more information on session look here http://uk.php.net/manual/en/ref.session.php

    However every time the user navigates to a new page the session id must be passed through the redirect so you have to inlcude the function
    PHP Code:
    session_start(); 
    at vry top of page he could navigate to. That way the identification is maintained through out the users session. Hence the name session!

    Another issue is making sure you use the POST method for data submissions using the GET method will display the passwords.

    Code:
    <form action="page_to_send_to.htm" method="post">
    When making your form don't forget to make set the text field for password inputs to
    Code:
    type=password
    or the characters will be echoed back to the users screen for any eyes to see.

    Code:
    <input type="password" name="password">
    Last edited by timgolding; 07-27-2007 at 01:58 PM.
    You can not say you know how to do something, until you can teach it to someone else.

  • #3
    Regular Coder
    Join Date
    Mar 2006
    Posts
    187
    Thanks
    5
    Thanked 0 Times in 0 Posts
    cheers thats a good pointer, what i ment by a database, is when someone "logs in", their user id, ip address, and a time stamp is stored in a table, when they logout this is removed.

    The time stamp can be read, and if a set amount of time has passed ie, 30 mins, then that data is ignored by the php script.

    So does an ip address change whilst the user is on the internet? or did you mean when they connect to the internet their ip address may change?

    Finaly a session var would record the user id, so that if the user id and ip do not in the database do not match, the user can be "logged out", if the session var is not set, then this saves the script from accessing the db.

    Does this sound ok or just plain stupid to any one?

  • #4
    New Coder
    Join Date
    Jun 2007
    Location
    Canada
    Posts
    49
    Thanks
    1
    Thanked 1 Time in 1 Post
    So does an ip address change whilst the user is on the internet? or did you mean when they connect to the internet their ip address may change?
    Under normal circumstances, a user's IP does not change during a given session on the internet. There may be some proxy and advanced stuff I no nothing about...

    The user's ISP will assign an IP to them when they connect. For dialup - that's each time you dial into your ISP. For broadband, you get an IP when you turn your modem on, reset your modem, and when the lease expires. When you reconnect or your lease expires, you may or may not get the same IP back. This is why many people don't recommend using a user's IP for validation, white/black listing.
    Of all the things I've lost in my life time, my mind is the one I miss the most!

  • #5
    Regular Coder
    Join Date
    Mar 2006
    Posts
    187
    Thanks
    5
    Thanked 0 Times in 0 Posts
    so a login session would be ok as the ip would only be used while their logged in.

  • #6
    Senior Coder timgolding's Avatar
    Join Date
    Aug 2006
    Location
    Southampton
    Posts
    1,519
    Thanks
    114
    Thanked 110 Times in 109 Posts
    That should be fine as long as the IP address is being logged. Storing the IP address that they logged in with.
    You can not say you know how to do something, until you can teach it to someone else.


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •