stackoom
  简体   繁体   中英

Securing a login system in a particular way

 原文  2012-04-28 03:59:51       php/ security/ session/ cookies/ login

Question

I'm making a new login system to practice my PHP, since the last one I made was pretty insecure as I've found out with the more I've learnt...

Anyway, essentially I'm getting a little confused about how to truly make it secure. A lot of answers to similar things regarding this state that authenticating a user per-page isn't necessary; that they just need to be authorized. However, say for instance I wanted to make it possible for users to force all users currently logged into an account to be logged out when the password for the account is changed (in practice the person who changed the password would be kept logged in, that's a simple enough task...).

The only way I can think of this working is if the password is stored somehow, so that it can be compared with a users credentials in the database.

Essentially, I have a few questions because of this:

  1. Why do most people think it isn't worth making a login system work this way?
  2. Is there some ridiculously easy way of doing this that I'm overlooking? (Either way, if anyone can direct me to a way of doing it I'll greatly appreciate it!)
  3. When making a login system remember you, what should be in a cookie for it to be secure and for it to still remember you?

Thanks!

2 answers

solution1
 1  2012-04-28 04:21:04

There is a fundamental way of doing this:

Upon login - you concatenate the session id, a salt, and the users password hash into a string and then md5 hash it. Store it in a cookie called "auth" or something.

Now when they request a page you just select from the database where an md5 hash of the users password,session id and salt = the "auth" cookie. This way if no match is made then the user is asked to login.

solution2
 1 ACCPTED  2012-04-28 04:27:45

Good security relies on multiple levels of authentication... storing authentication data in sessions and cookies and encrypting passwords etc.

to answer your question as to how this could work.

You could build a basic authentication class that after authenticated users, stores a cookie and sets the session variable(s) including a password hash. Whatever method you use to verify a user is authenticated on each page can check the database for the password compared to the hash. and if it has changed the authentication would fail.

You can ensure that a cookie be set over a https connection. if its not https it won't set a cookie however. There is also a parameter in the setcookie function that enables you to limit the cookie to http only so javascript can't get a hold of the cookie like cross site scripts ect. http://php.net/manual/en/function.setcookie.php

Security is all about understanding how something works and how it CAN be exploited.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Securing one particular file on the server; .htaccess good way of doing it? securing login php script Securing Session for login advice on securing user login Better way to use Laravel login into a “legacy system”? Securing user profile retrieve from Facebook login Securing Facebook Login through Javascript and PHP SDK Securing the token of a token based authentication system In a login system with 3 levels, what better way to create the tables in the database and login system? What's the most secure way to use facebook login system api
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM