Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 1 of 1
07-16-2012, 10:24 PM #1
- Join Date
- Mar 2005
- Spokane, WA
- Thanked 4 Times in 4 Posts
Feedback on my authentication scheme
So I am writing a small little script for just a few people to use so I figured it would be a good way to test my own authentication system. I want some feedback about it.
All data incmming is escaped using mysqli_real_escape_string(). The passwords each have unique salt generated from some user specific data in the database and hare hashed using SHA1(). I verify the username and password match.
Upon doing this I use SHA1(microtime()) as a session ID and I record this along with the IP into the users table. I give the user a cookie consisting on the username and session id. When the user attempts to access a protected page I load the cookie, escape the values using mysqli_real_escape_string() and verify the ip of the connection and the sessionid in the cookie match whats recorded for the user identified in the cookie.
I also record the curent timestamp in the usertable of the users last action to enforce a timeout limit. If the timeout limit has passed or if I cannot verify the cookie I empty the sessionid from the db. I set the cookie expiration time to time() - 3600 (effectivly deleting it) and I redirect to the login page with an error stating the session expired.
I also enforce a limit of 3 consecutive failed attempts on any username before it is blocked and 3 consecutive failed attempts from any ip before it is blocked.
The script will be accessed over an SSL connection as well.
What are your thoughts. I really look forward to some good suggestions to help make this system more secure in hopes of using it on more visible scripts I am working on here soon.