BetterPHP

Whats the best way to do a login?

Should I set a session for the ID, and then a secret key which changed on each time they login, and check those two in the database?

Or is there a better / more efficient method?

[syntax=php]if (isset($_POST['username'], $_POST['password']) && correct_password($_POST['username'], $_POST['password'])){
$_SESSION['username'] = $_POST['username'];
}[/syntax]
Then

[syntax=php]if (isset($_SESSION['username'])){
echo 'Yay, you logged in !';
}[/syntax]
How else could you do it ?

What I mean though, is that it is too easy for someone to create a session isn't it, and fake their way to me believing that they're someone else.

You should probably have the users' ID, from the database, in the session and then the username. Then you can check to see whether the user ID and the username match.

wrichards8 wrote:You should probably have the users' ID, from the database, in the session and then the username. Then you can check to see whether the user ID and the username match.

That could be easy to fake. Depending on setup of profile pages etc.
The way I chose to do this in the end was:

[syntax=php]public static function login($param1 = null,$password = null){
if(isset($param1,$password)){
$param1 = filter_var($email,FILTER_VARIABLE_EMAIL);
if($param1 === true){
$email = $param1;
$email = $dbh->quote($email);
$login_attempt = self::check_credentials('email', $email, $password);
if($login_attempt === true){
// login successful
$uniqid = uniqid();
$userid = self::getUserId($email);

$key = hmac_hash('sha256', $uniqid . $userid);
$sth = $dbh->query('DELETE FROM login_sessions WHERE user_id = "'.$userid.'"');
$sth->execute();
$sth = $dbh->query('INSERT INTO login_sessions SET user_id = "'.$userid.'" and key = "'.$key.'"');
$sth->execute();
$_SESSION['ukey'] = $key;
$_SESSION['username'] = self::getUsername($userid);
return true;
} else {
return false;
}
} else {
$user = $param1;
$user = $dbh->quote($user);
$login_attempt = self::check_credentials('username',$user, $password);
if($login_attempt == true){
// login successful
$uniqid = uniqid();
$userid = self::getUserId($email);

$key = hmac_hash('sha256', $uniqid . $userid);
$sth = $dbh->query('DELETE FROM login_sessions WHERE user_id = "'.$userid.'"');
$sth->execute();
$sth = $dbh->query('INSERT INTO login_sessions SET user_id = "'.$userid.'" and key = "'.$key.'"');
$sth->execute();
$_SESSION['ukey'] = $key;
$_SESSION['username'] = self::getUsername($userid);
return true;
} else {
return false;
}
}
} else {
return false;
}
} [/syntax]

bowersbros wrote:What I mean though, is that it is too easy for someone to create a session isn't it, and fake their way to me believing that they're someone else.

Link the session ID to the IP address, problem solved Plus they have to be able to guess the session ID which is not easy

jacek wrote:

bowersbros wrote:What I mean though, is that it is too easy for someone to create a session isn't it, and fake their way to me believing that they're someone else.

Link the session ID to the IP address, problem solved Plus they have to be able to guess the session ID which is not easy

Im trying to do the entire project without storing personally identifiable information, except their email address.

So, no IP storing

bowersbros wrote:So, no IP storing

You are already doing that, look at your nginx logs

Kamal wrote:

bowersbros wrote:So, no IP storing

You are already doing that, look at your nginx logs

Im planning on having no logs eventually, Im currently logging stuff so that I can keep track of any visitors I dont particarly want yet

bowersbros wrote:

Kamal wrote:

bowersbros wrote:So, no IP storing

You are already doing that, look at your nginx logs

Im planning on having no logs eventually, Im currently logging stuff so that I can keep track of any visitors I dont particarly want yet

You can log only the things you want in nginx

bowersbros wrote:Im trying to do the entire project without storing personally identifiable information, except their email address.

So, no IP storing

Interesting challenge, but why bother ? Storing the IP makes this very easy and reduces your queries per page load

jacek wrote:

bowersbros wrote:Im trying to do the entire project without storing personally identifiable information, except their email address.

So, no IP storing

Interesting challenge, but why bother ? Storing the IP makes this very easy and reduces your queries per page load

Because Im doing an upload website, which if it doesn't store peoples IP then they'd be much more willing to use the website, Since I can guarantee that not all 100% of the data is going to be legal.

Store a hash of the IP that can't be used to get back to the original IP ?

jacek wrote:Store a hash of the IP that can't be used to get back to the original IP ?

Heh, didn't think of that.

Hmm, could do.

bowersbros wrote:Since I can guarantee that not all 100% of the data is going to be legal.

You seriously need to look into DMCA....

abcedea wrote:

bowersbros wrote:Since I can guarantee that not all 100% of the data is going to be legal.

You seriously need to look into DMCA....

I know what DMCA is. But, the point of the website is that people don't need to be worried about any tracebacks. Or as few as possible.

DMCA saves me from being sued (apparently. Although the US doesn't seem to know its own laws too well) But, I'm trying to help my users also, by not storing any personal data, except their username and email which are only personal if used elsewhere.

bowersbros wrote:-snip-
I know what DMCA is. But, the point of the website is that people don't need to be worried about any tracebacks. Or as few as possible.

DMCA saves me from being sued (apparently. Although the US doesn't seem to know its own laws too well) But, I'm trying to help my users also, by not storing any personal data, except their username and email which are only personal if used elsewhere.

Ah I see.
(Are you talking about Mr. Dotcom ?)

abcedea wrote:

bowersbros wrote:-snip-
I know what DMCA is. But, the point of the website is that people don't need to be worried about any tracebacks. Or as few as possible.

DMCA saves me from being sued (apparently. Although the US doesn't seem to know its own laws too well) But, I'm trying to help my users also, by not storing any personal data, except their username and email which are only personal if used elsewhere.

Ah I see.
(Are you talking about Mr. Dotcom ?)

Pretty much yes.