NYCPHP Meetup

NYPHP.org

[nycphp-talk] user authentication security structure

Chris Hubbard chubbard at next-online.net
Wed Feb 4 13:11:42 EST 2004 

All,
Thanks for all your suggestions and feedback to date.  The following is 
a description of the login and user-authentication mechanism I'm 
planning to implement in our application, based on the discussion here 
and other research I've done.  If you've got ways to improve it, please 
make suggestions.

Assumptions:
* all client browsers will have cookies enabled.  If they don't they get 
redirected to a page that tells them to enable cookies before they have 
the chance to log in.
* all pages (especially login) will be within SSL
* will be using custom session handlers (aka Sean's article in php|arch)

Requirements:
* users can bookmark any page in the application.  When the user tries 
to return to a bookmarked page after the session has expired, then they 
are presented with the login page.  after a successful login they're 
redirected to the bookmarked page.

Flow:
* user enters their username and password and submits the form
* code makes sure the data submitted is "clean"
* code checks username and password against values in db
* if they match create a cookie that will expire in 10 (or so) seconds
* create a session
* redirect to home page or bookmarked page.
* at home page read the temp cookie and the session data, if they 
correspond create a new cookie that will expire in N minutes.
* when user clicks "log out" destroy the session and either empty the 
cookie or fill it with garbage.

Thoughts:
I'm thinking of putting a timestamp into the login cookie, so if it's 
presented and it's too old, I can redirect to the login page
I may add a counter to the login cookie, if you don't get in after 3 or 
N attempts you get redirected to some (random) web address.
I've been thinking about using the cookie ID to sign and encrypt the 
session ID and then using the session ID to sign and encrypt the cookie 
ID but that might be overkill.
I may put the login page into it's own folder ./login/login.php, and 
have the login cookie be specific to that folder.

Once I get this flat I'll make the pattern publicly available with 
diagrams and documentation.  I'm not sure whether it makes sense to 
include the code (we use Oracle with some internal classes), so probably 
won't include complete code.

Thoughts, comments, suggestions?
Chris

More information about the talk mailing list