NYCPHP Meetup

NYPHP.org

[nycphp-talk] user authentication security structure

Chris Hubbard chubbard at next-online.net
Wed Feb 4 20:14:40 EST 2004 

No takers?

Chris Hubbard wrote:

> All,
> Thanks for all your suggestions and feedback to date.  The following 
> is a description of the login and user-authentication mechanism I'm 
> planning to implement in our application, based on the discussion here 
> and other research I've done.  If you've got ways to improve it, 
> please make suggestions.
>
> Assumptions:
> * all client browsers will have cookies enabled.  If they don't they 
> get redirected to a page that tells them to enable cookies before they 
> have the chance to log in.
> * all pages (especially login) will be within SSL
> * will be using custom session handlers (aka Sean's article in php|arch)
>
> Requirements:
> * users can bookmark any page in the application.  When the user tries 
> to return to a bookmarked page after the session has expired, then 
> they are presented with the login page.  after a successful login 
> they're redirected to the bookmarked page.
>
> Flow:
> * user enters their username and password and submits the form
> * code makes sure the data submitted is "clean"
> * code checks username and password against values in db
> * if they match create a cookie that will expire in 10 (or so) seconds
> * create a session
> * redirect to home page or bookmarked page.
> * at home page read the temp cookie and the session data, if they 
> correspond create a new cookie that will expire in N minutes.
> * when user clicks "log out" destroy the session and either empty the 
> cookie or fill it with garbage.
>
> Thoughts:
> I'm thinking of putting a timestamp into the login cookie, so if it's 
> presented and it's too old, I can redirect to the login page
> I may add a counter to the login cookie, if you don't get in after 3 
> or N attempts you get redirected to some (random) web address.
> I've been thinking about using the cookie ID to sign and encrypt the 
> session ID and then using the session ID to sign and encrypt the 
> cookie ID but that might be overkill.
> I may put the login page into it's own folder ./login/login.php, and 
> have the login cookie be specific to that folder.
>
> Once I get this flat I'll make the pattern publicly available with 
> diagrams and documentation.  I'm not sure whether it makes sense to 
> include the code (we use Oracle with some internal classes), so 
> probably won't include complete code.
>
> Thoughts, comments, suggestions?
> Chris
>
> _______________________________________________
> talk mailing list
> talk at lists.nyphp.org
> http://lists.nyphp.org/mailman/listinfo/talk

More information about the talk mailing list