View Full Version : User Login

07-26-2007, 07:27 PM
What is the most secure way of Logging a user in? ie, i would have stored their user id in a session var, apparently that is not secure if using a shared server.

What about storing a user id in a sesion var, and also in a "logged in" table, with a date and ipaddress?

07-27-2007, 06:05 AM
Using session vars is possible. although on shared servers it is possible other users could read private session keys from the server. If you are with a shared host you can check with your host what protection they have againstg session impersination. Using IPs is not really a secure way. specially when some ISPs issue IPs dynamically.

There are a great many security issues you have to think about when desinging any application that requires exchange of data. heres a quick list of the security issues then ill explain some measures you will need to consider.

1. Confidentiality of personal data
You cant store passwords as plain text as this would be breaching data protection act laws.

2. SQL injections
when an SQL query to a database is data that comes from the user it is possible the user can change the data and add commands that will change the query. The query could be made to drop tables or other malicious things.

$query ="SELECT * FROM users WHERE user='%s' AND password='%s'"

3 PHP injections
This is when the user predefines variables used in the php. Therefore if you were testing against a variable say for instance if
$login=true; then the user could define login to true at the begining. Using session is one way to protect against this also always define your variables
$login=false that ways even if the use did set it you can overide it.

4 Line in
If the hacker had a pysical line into the transmitons medium. This is unlikely! SSL is a way to secure against this ans should always be considered for transmission of sensitive data. Any banking transactions should always be SSL

Your gonna need access to your database so that when a user posts there user details you have a data source to authenticate against. The script will authenticate by connecting to the databse through a users account

$link = mysql_connect('localhost', 'mysql_user', 'mysql_password');
if (!$link) {
die('Could not connect: ' . mysql_error());
echo 'Connected successfully';

Make sure you do not give the user more privalleges than it needs if it does not need to drop, create tables then it should not have access to. The first paremeter in this function is the location from where the connection is made
"hostname:port". Unless you require access from a script on another domain this should be set to localhost.

When using SQL you need to make sure you real escape your querys this will prevent a sql injection Check http://php.net for hints on using real escapes.

$query = sprintf("SELECT * FROM users WHERE user='%s' AND password='%s'",

A case where you do not need to escape is when you are about to compare the UI (User Input) with a database through MD5 hashes, infact if you do, the password stored in the database will not match the one in the request.

ludvig dot ericson at gmail dot com - @ http://php.net

Probably the securest way to authenticate is through SSL digital certificats. These communications are encrypted with a key. Data going to and from an SSL server is encrypted. Therefore anyone able to spy on the data only sees the encrypted unreadable data. Basically the data is encrypted with a key that sites with client and the server. Therefore the only way in for a hacker is if they could get the key. However you do have to pay for SSL certifiactes. You have to pay for a key to be registerd to your domain. SSL should always be considered when sensitive data is sent such as credit card details.

Although this is the one of the securest methods of authentication if you only require to have a secure log in systems and that dont access sensitive data then you can use hashing algorithems. sha1 hashing is supported in php and is good for most login systems. Basically hashing involves applying a mathmatical algorithm to the data which is unreversable. It is therefore not usefull for two way communication but can be helpfull to store passwords. Basicially the password is still sent in an text format so anyone can read it if they have a line in. But is hashed before it is stored in the databse and is hased before it is authenticated. But if a hacker somehow gained acces to your database the users passwords would be useless to them. Also you do not breach the data protection act by storing sensitive passwords in text format. for a good guide to hashing refer to http://forums.devnetwork.net/viewtopic.php?t=62782&highlight=

if (sha1(salt+$_POST["password"])==sha1(salt+$row['password']))
echo ("logged in");

When you have authenticated you can use session variables to keep the identification going. I usually use flags to set user classes

if (sha1(salt+$_POST["password"))==sha1(salt+$row['password']))

for more information on session look here http://uk.php.net/manual/en/ref.session.php

However every time the user navigates to a new page the session id must be passed through the redirect so you have to inlcude the function
session_start(); at vry top of page he could navigate to. That way the identification is maintained through out the users session. Hence the name session!

Another issue is making sure you use the POST method for data submissions using the GET method will display the passwords.

<form action="page_to_send_to.htm" method="post">

When making your form don't forget to make set the text field for password inputs to
type=password or the characters will be echoed back to the users screen for any eyes to see.

<input type="password" name="password">

07-27-2007, 09:05 PM
cheers thats a good pointer, what i ment by a database, is when someone "logs in", their user id, ip address, and a time stamp is stored in a table, when they logout this is removed.

The time stamp can be read, and if a set amount of time has passed ie, 30 mins, then that data is ignored by the php script.

So does an ip address change whilst the user is on the internet? or did you mean when they connect to the internet their ip address may change?

Finaly a session var would record the user id, so that if the user id and ip do not in the database do not match, the user can be "logged out", if the session var is not set, then this saves the script from accessing the db.

Does this sound ok or just plain stupid to any one?

07-28-2007, 02:18 AM
So does an ip address change whilst the user is on the internet? or did you mean when they connect to the internet their ip address may change?

Under normal circumstances, a user's IP does not change during a given session on the internet. There may be some proxy and advanced stuff I no nothing about...

The user's ISP will assign an IP to them when they connect. For dialup - that's each time you dial into your ISP. For broadband, you get an IP when you turn your modem on, reset your modem, and when the lease expires. When you reconnect or your lease expires, you may or may not get the same IP back. This is why many people don't recommend using a user's IP for validation, white/black listing.

07-28-2007, 12:59 PM
so a login session would be ok as the ip would only be used while their logged in.

07-30-2007, 10:14 AM
That should be fine as long as the IP address is being logged. Storing the IP address that they logged in with.