Best way to do login

Talk about anything in here.
Post Reply
bowersbros
Posts: 534
Joined: Thu May 05, 2011 8:19 pm

Best way to do login

Post by bowersbros »

Whats the best way to do a login?

Should I set a session for the ID, and then a secret key which changed on each time they login, and check those two in the database?

Or is there a better / more efficient method?
I don't like to brag, but I wasn't circumcised. I was circumnavigated. ;)

Want to learn something new? Or maybe reinforce what you already know? Or just help out? Please subscribe to my videos: http://goo.gl/58pN9
User avatar
jacek
Site Admin
Posts: 3262
Joined: Thu May 05, 2011 1:45 pm
Location: UK
Contact:

Re: Best way to do login

Post by jacek »

if (isset($_POST['username'], $_POST['password']) && correct_password($_POST['username'], $_POST['password'])){
    $_SESSION['username'] = $_POST['username'];
}
Then
if (isset($_SESSION['username'])){
    echo 'Yay, you logged in !';
}
How else could you do it ?
Image
bowersbros
Posts: 534
Joined: Thu May 05, 2011 8:19 pm

Re: Best way to do login

Post by bowersbros »

What I mean though, is that it is too easy for someone to create a session isn't it, and fake their way to me believing that they're someone else.
I don't like to brag, but I wasn't circumcised. I was circumnavigated. ;)

Want to learn something new? Or maybe reinforce what you already know? Or just help out? Please subscribe to my videos: http://goo.gl/58pN9
wrichards8
Posts: 66
Joined: Thu Jan 12, 2012 3:54 pm
Contact:

Re: Best way to do login

Post by wrichards8 »

You should probably have the users' ID, from the database, in the session and then the username. Then you can check to see whether the user ID and the username match.
bowersbros
Posts: 534
Joined: Thu May 05, 2011 8:19 pm

Re: Best way to do login

Post by bowersbros »

wrichards8 wrote:You should probably have the users' ID, from the database, in the session and then the username. Then you can check to see whether the user ID and the username match.
That could be easy to fake. Depending on setup of profile pages etc.
The way I chose to do this in the end was:
public static function login($param1 = null,$password = null){
			if(isset($param1,$password)){
				$param1 = filter_var($email,FILTER_VARIABLE_EMAIL);
				if($param1 === true){
					$email = $param1;
					$email = $dbh->quote($email);
					$login_attempt = self::check_credentials('email', $email, $password);
					if($login_attempt === true){
						// login successful
						$uniqid = uniqid();
						$userid = self::getUserId($email);
						
						$key = hmac_hash('sha256', $uniqid . $userid);
						$sth = $dbh->query('DELETE FROM login_sessions WHERE user_id = "'.$userid.'"');
						$sth->execute();
						$sth = $dbh->query('INSERT INTO login_sessions SET user_id = "'.$userid.'" and key = "'.$key.'"');
						$sth->execute();
						$_SESSION['ukey'] = $key;
						$_SESSION['username'] = self::getUsername($userid);
						return true;
					} else {
						return false;
					}
				} else {
					$user = $param1;
					$user = $dbh->quote($user);
					$login_attempt = self::check_credentials('username',$user, $password);
					if($login_attempt == true){
						// login successful
						$uniqid = uniqid();
						$userid = self::getUserId($email);
						
						$key = hmac_hash('sha256', $uniqid . $userid);
						$sth = $dbh->query('DELETE FROM login_sessions WHERE user_id = "'.$userid.'"');
						$sth->execute();
						$sth = $dbh->query('INSERT INTO login_sessions SET user_id = "'.$userid.'" and key = "'.$key.'"');
						$sth->execute();
						$_SESSION['ukey'] = $key;
						$_SESSION['username'] = self::getUsername($userid);
						return true;
					} else {
						return false;
					}
				}
			} else {
				return false;
			}
		} 
I don't like to brag, but I wasn't circumcised. I was circumnavigated. ;)

Want to learn something new? Or maybe reinforce what you already know? Or just help out? Please subscribe to my videos: http://goo.gl/58pN9
User avatar
jacek
Site Admin
Posts: 3262
Joined: Thu May 05, 2011 1:45 pm
Location: UK
Contact:

Re: Best way to do login

Post by jacek »

bowersbros wrote:What I mean though, is that it is too easy for someone to create a session isn't it, and fake their way to me believing that they're someone else.
Link the session ID to the IP address, problem solved :P Plus they have to be able to guess the session ID which is not easy
Image
bowersbros
Posts: 534
Joined: Thu May 05, 2011 8:19 pm

Re: Best way to do login

Post by bowersbros »

jacek wrote:
bowersbros wrote:What I mean though, is that it is too easy for someone to create a session isn't it, and fake their way to me believing that they're someone else.
Link the session ID to the IP address, problem solved :P Plus they have to be able to guess the session ID which is not easy
Im trying to do the entire project without storing personally identifiable information, except their email address.

So, no IP storing :(
I don't like to brag, but I wasn't circumcised. I was circumnavigated. ;)

Want to learn something new? Or maybe reinforce what you already know? Or just help out? Please subscribe to my videos: http://goo.gl/58pN9
User avatar
Kamal
Posts: 123
Joined: Fri May 06, 2011 10:45 am
Contact:

Re: Best way to do login

Post by Kamal »

bowersbros wrote: So, no IP storing :(
You are already doing that, look at your nginx logs ;)
bowersbros
Posts: 534
Joined: Thu May 05, 2011 8:19 pm

Re: Best way to do login

Post by bowersbros »

Kamal wrote:
bowersbros wrote: So, no IP storing :(
You are already doing that, look at your nginx logs ;)
Im planning on having no logs eventually, Im currently logging stuff so that I can keep track of any visitors I dont particarly want yet :P
I don't like to brag, but I wasn't circumcised. I was circumnavigated. ;)

Want to learn something new? Or maybe reinforce what you already know? Or just help out? Please subscribe to my videos: http://goo.gl/58pN9
User avatar
Kamal
Posts: 123
Joined: Fri May 06, 2011 10:45 am
Contact:

Re: Best way to do login

Post by Kamal »

bowersbros wrote:
Kamal wrote:
bowersbros wrote: So, no IP storing :(
You are already doing that, look at your nginx logs ;)
Im planning on having no logs eventually, Im currently logging stuff so that I can keep track of any visitors I dont particarly want yet :P
You can log only the things you want in nginx
User avatar
jacek
Site Admin
Posts: 3262
Joined: Thu May 05, 2011 1:45 pm
Location: UK
Contact:

Re: Best way to do login

Post by jacek »

bowersbros wrote:Im trying to do the entire project without storing personally identifiable information, except their email address.

So, no IP storing :(
Interesting challenge, but why bother ? Storing the IP makes this very easy and reduces your queries per page load :)
Image
bowersbros
Posts: 534
Joined: Thu May 05, 2011 8:19 pm

Re: Best way to do login

Post by bowersbros »

jacek wrote:
bowersbros wrote:Im trying to do the entire project without storing personally identifiable information, except their email address.

So, no IP storing :(
Interesting challenge, but why bother ? Storing the IP makes this very easy and reduces your queries per page load :)
Because Im doing an upload website, which if it doesn't store peoples IP then they'd be much more willing to use the website, Since I can guarantee that not all 100% of the data is going to be legal.
I don't like to brag, but I wasn't circumcised. I was circumnavigated. ;)

Want to learn something new? Or maybe reinforce what you already know? Or just help out? Please subscribe to my videos: http://goo.gl/58pN9
User avatar
jacek
Site Admin
Posts: 3262
Joined: Thu May 05, 2011 1:45 pm
Location: UK
Contact:

Re: Best way to do login

Post by jacek »

Store a hash of the IP that can't be used to get back to the original IP ?
Image
bowersbros
Posts: 534
Joined: Thu May 05, 2011 8:19 pm

Re: Best way to do login

Post by bowersbros »

jacek wrote:Store a hash of the IP that can't be used to get back to the original IP ?
Heh, didn't think of that.

Hmm, could do.
I don't like to brag, but I wasn't circumcised. I was circumnavigated. ;)

Want to learn something new? Or maybe reinforce what you already know? Or just help out? Please subscribe to my videos: http://goo.gl/58pN9
User avatar
Helx
Posts: 350
Joined: Thu May 17, 2012 6:45 am
Location: Auckland, New Zealand

Re: Best way to do login

Post by Helx »

bowersbros wrote:Since I can guarantee that not all 100% of the data is going to be legal.
You seriously need to look into DMCA....
bowersbros
Posts: 534
Joined: Thu May 05, 2011 8:19 pm

Re: Best way to do login

Post by bowersbros »

abcedea wrote:
bowersbros wrote:Since I can guarantee that not all 100% of the data is going to be legal.
You seriously need to look into DMCA....
I know what DMCA is. But, the point of the website is that people don't need to be worried about any tracebacks. Or as few as possible.

DMCA saves me from being sued (apparently. Although the US doesn't seem to know its own laws too well) But, I'm trying to help my users also, by not storing any personal data, except their username and email which are only personal if used elsewhere.
I don't like to brag, but I wasn't circumcised. I was circumnavigated. ;)

Want to learn something new? Or maybe reinforce what you already know? Or just help out? Please subscribe to my videos: http://goo.gl/58pN9
User avatar
Helx
Posts: 350
Joined: Thu May 17, 2012 6:45 am
Location: Auckland, New Zealand

Re: Best way to do login

Post by Helx »

bowersbros wrote:-snip-
I know what DMCA is. But, the point of the website is that people don't need to be worried about any tracebacks. Or as few as possible.

DMCA saves me from being sued (apparently. Although the US doesn't seem to know its own laws too well) But, I'm trying to help my users also, by not storing any personal data, except their username and email which are only personal if used elsewhere.
Ah I see.
(Are you talking about Mr. Dotcom ?)
bowersbros
Posts: 534
Joined: Thu May 05, 2011 8:19 pm

Re: Best way to do login

Post by bowersbros »

abcedea wrote:
bowersbros wrote:-snip-
I know what DMCA is. But, the point of the website is that people don't need to be worried about any tracebacks. Or as few as possible.

DMCA saves me from being sued (apparently. Although the US doesn't seem to know its own laws too well) But, I'm trying to help my users also, by not storing any personal data, except their username and email which are only personal if used elsewhere.
Ah I see.
(Are you talking about Mr. Dotcom ?)
Pretty much yes.
I don't like to brag, but I wasn't circumcised. I was circumnavigated. ;)

Want to learn something new? Or maybe reinforce what you already know? Or just help out? Please subscribe to my videos: http://goo.gl/58pN9
Post Reply