Page 1 of 1
Best way to do login
Posted: Sat Aug 04, 2012 3:20 pm
by bowersbros
Whats the best way to do a login?
Should I set a session for the ID, and then a secret key which changed on each time they login, and check those two in the database?
Or is there a better / more efficient method?
Re: Best way to do login
Posted: Mon Aug 06, 2012 11:55 am
by jacek
if (isset($_POST['username'], $_POST['password']) && correct_password($_POST['username'], $_POST['password'])){
$_SESSION['username'] = $_POST['username'];
}
Then
if (isset($_SESSION['username'])){
echo 'Yay, you logged in !';
}
How else could you do it ?
Re: Best way to do login
Posted: Mon Aug 06, 2012 1:33 pm
by bowersbros
What I mean though, is that it is too easy for someone to create a session isn't it, and fake their way to me believing that they're someone else.
Re: Best way to do login
Posted: Tue Aug 07, 2012 8:31 pm
by wrichards8
You should probably have the users' ID, from the database, in the session and then the username. Then you can check to see whether the user ID and the username match.
Re: Best way to do login
Posted: Tue Aug 07, 2012 8:54 pm
by bowersbros
wrichards8 wrote:You should probably have the users' ID, from the database, in the session and then the username. Then you can check to see whether the user ID and the username match.
That could be easy to fake. Depending on setup of profile pages etc.
The way I chose to do this in the end was:
public static function login($param1 = null,$password = null){
if(isset($param1,$password)){
$param1 = filter_var($email,FILTER_VARIABLE_EMAIL);
if($param1 === true){
$email = $param1;
$email = $dbh->quote($email);
$login_attempt = self::check_credentials('email', $email, $password);
if($login_attempt === true){
// login successful
$uniqid = uniqid();
$userid = self::getUserId($email);
$key = hmac_hash('sha256', $uniqid . $userid);
$sth = $dbh->query('DELETE FROM login_sessions WHERE user_id = "'.$userid.'"');
$sth->execute();
$sth = $dbh->query('INSERT INTO login_sessions SET user_id = "'.$userid.'" and key = "'.$key.'"');
$sth->execute();
$_SESSION['ukey'] = $key;
$_SESSION['username'] = self::getUsername($userid);
return true;
} else {
return false;
}
} else {
$user = $param1;
$user = $dbh->quote($user);
$login_attempt = self::check_credentials('username',$user, $password);
if($login_attempt == true){
// login successful
$uniqid = uniqid();
$userid = self::getUserId($email);
$key = hmac_hash('sha256', $uniqid . $userid);
$sth = $dbh->query('DELETE FROM login_sessions WHERE user_id = "'.$userid.'"');
$sth->execute();
$sth = $dbh->query('INSERT INTO login_sessions SET user_id = "'.$userid.'" and key = "'.$key.'"');
$sth->execute();
$_SESSION['ukey'] = $key;
$_SESSION['username'] = self::getUsername($userid);
return true;
} else {
return false;
}
}
} else {
return false;
}
}
Re: Best way to do login
Posted: Wed Aug 08, 2012 2:04 am
by jacek
bowersbros wrote:What I mean though, is that it is too easy for someone to create a session isn't it, and fake their way to me believing that they're someone else.
Link the session ID to the IP address, problem solved
Plus they have to be able to guess the session ID which is not easy
Re: Best way to do login
Posted: Wed Aug 08, 2012 11:06 am
by bowersbros
jacek wrote:bowersbros wrote:What I mean though, is that it is too easy for someone to create a session isn't it, and fake their way to me believing that they're someone else.
Link the session ID to the IP address, problem solved
Plus they have to be able to guess the session ID which is not easy
Im trying to do the entire project without storing personally identifiable information, except their email address.
So, no IP storing
Re: Best way to do login
Posted: Wed Aug 08, 2012 12:31 pm
by Kamal
bowersbros wrote:
So, no IP storing
You are already doing that, look at your nginx logs
Re: Best way to do login
Posted: Wed Aug 08, 2012 1:25 pm
by bowersbros
Kamal wrote:bowersbros wrote:
So, no IP storing
You are already doing that, look at your nginx logs
Im planning on having no logs eventually, Im currently logging stuff so that I can keep track of any visitors I dont particarly want yet
Re: Best way to do login
Posted: Thu Aug 09, 2012 10:51 am
by Kamal
bowersbros wrote:Kamal wrote:bowersbros wrote:
So, no IP storing
You are already doing that, look at your nginx logs
Im planning on having no logs eventually, Im currently logging stuff so that I can keep track of any visitors I dont particarly want yet
You can log only the things you want in nginx
Re: Best way to do login
Posted: Sun Aug 12, 2012 12:18 am
by jacek
bowersbros wrote:Im trying to do the entire project without storing personally identifiable information, except their email address.
So, no IP storing
Interesting challenge, but why bother ? Storing the IP makes this very easy and reduces your queries per page load
Re: Best way to do login
Posted: Sun Aug 12, 2012 12:20 am
by bowersbros
jacek wrote:bowersbros wrote:Im trying to do the entire project without storing personally identifiable information, except their email address.
So, no IP storing
Interesting challenge, but why bother ? Storing the IP makes this very easy and reduces your queries per page load
Because Im doing an upload website, which if it doesn't store peoples IP then they'd be much more willing to use the website, Since I can guarantee that not all 100% of the data is going to be legal.
Re: Best way to do login
Posted: Sun Aug 12, 2012 12:23 am
by jacek
Store a hash of the IP that can't be used to get back to the original IP ?
Re: Best way to do login
Posted: Sun Aug 12, 2012 12:36 am
by bowersbros
jacek wrote:Store a hash of the IP that can't be used to get back to the original IP ?
Heh, didn't think of that.
Hmm, could do.
Re: Best way to do login
Posted: Sat Sep 01, 2012 9:01 am
by Helx
bowersbros wrote:Since I can guarantee that not all 100% of the data is going to be legal.
You seriously need to look into DMCA....
Re: Best way to do login
Posted: Sat Sep 01, 2012 10:38 am
by bowersbros
abcedea wrote:bowersbros wrote:Since I can guarantee that not all 100% of the data is going to be legal.
You seriously need to look into DMCA....
I know what DMCA is. But, the point of the website is that people don't need to be worried about any tracebacks. Or as few as possible.
DMCA saves me from being sued (apparently. Although the US doesn't seem to know its own laws too well) But, I'm trying to help my users also, by not storing any personal data, except their username and email which are only personal if used elsewhere.
Re: Best way to do login
Posted: Sat Sep 01, 2012 11:48 am
by Helx
bowersbros wrote:-snip-
I know what DMCA is. But, the point of the website is that people don't need to be worried about any tracebacks. Or as few as possible.
DMCA saves me from being sued (apparently. Although the US doesn't seem to know its own laws too well) But, I'm trying to help my users also, by not storing any personal data, except their username and email which are only personal if used elsewhere.
Ah I see.
(Are you talking about Mr. Dotcom ?)
Re: Best way to do login
Posted: Sat Sep 01, 2012 12:18 pm
by bowersbros
abcedea wrote:bowersbros wrote:-snip-
I know what DMCA is. But, the point of the website is that people don't need to be worried about any tracebacks. Or as few as possible.
DMCA saves me from being sued (apparently. Although the US doesn't seem to know its own laws too well) But, I'm trying to help my users also, by not storing any personal data, except their username and email which are only personal if used elsewhere.
Ah I see.
(Are you talking about Mr. Dotcom ?)
Pretty much yes.