So I'm looking for the best advice on how to tackle a problem. I wanted to allow my members to be able to stayed logged in on devices when they checked "Keep me logged in". But after researching I found out that cookies would do it, but it's not secure.
So my second idea was instead just remember the page they were on and go back to it after logging back in. Simple enough. More secure(theoretically).
But the only way I can think of is by making a table in the database that records the current page the member goes to, and updates it each time the go to a new one.
Is this the best way to approach the solution, or are there any better ways? I'm open to all suggestions, and could not find any solutions elsewhere in the forums. (I'm using PHP and MYSQLi)
Your best bet is to use a combination of cookies and session to do this. Or even secure cookies. Check out this link.
https://en.wikipedia.org/wiki/Secure_cookie
try to use one of the function in this guide.
DOM Storage Guide
i never tested it but i what think you need is the localstorage.
or this Using IndexedDB
Related
I am currently building a network and I am using php to do it. I have a code that is working but I am not sure it's the most right and secure way to do it.
For simplification I have 4 files : Index(index.php) / Member Area(profile.php) / Sign-in (signin.php) / Login page(homepage.php).
When the user sign in and submit user and password the infos are sent to signin.php and if they are correct a session is created using this code:
session_start();
$_SESSION['username'] = $username;
Now in the index.php what I do is I check if a session is already created if yes the user see profile.php if not he sees homepage.php and for this purpuse I am using this code:
session_start();
if (!isset($_SESSION['username'])) {
include('homepage.php');
die();
}
else{
include('profile.php');
die();
}
So if user is logged the index will show him his member area if not the index will show him the login form.
Can I rely on this to be secure ?
Im I doing it the right way ? Do you have any suggestions.
Thank you all.
Based on your comment, you might want to think deeply about what you require from your future application. It comes down to making as smart decisions as possible before hand. I dont want to take the wind from your wings... but.....
For example, if you want you site to be responsive (especially in future), not only in styling but also usability wise, you should already consider frameworks such as jQuery or AngularJS. And connecting them to an API that you write in a mix with PHP generated pages.
The site would end up being a mix of server side generated output and API responses filling the frontend with life when clicking/entering stuff.
The next step would be to consider using a PHP framework. Eventhough writing your own social netowrk site would be cool, but do you really need to reinvent all those wheels? You might want to look into Laravel, Symfony or CodeIgniter etc... They offer secure login mechanisms that you can configure however you need them.
If you want to go the hard way.... (while you would still become a great programmer if you use frameworks) for starters look at PHPAuth to help you kick start your login and authentication flow or PHP-JWT for token based authentication (from any device). GUMP for form validation. PDO for making secure queries to your database.
If applicable, when you come to the question which web server i would use for social network projects, i would go for nginx for now. It is highly scalable, has nice performance and is has the potential to be more secure than an apache setup for example.
This is really 2 different things:
1. Are you using sessions the right way? Technically yes. As long as the session is started before any output is send (including headers), then sessions will work. What you put into them and how you use that is up to you. Sessions just keep state between request. Default PHP sessions have some technical limitations depending on what you want to do, but most stuff should be fine.
2. Is it secure? This is different and really has less to do with sessions and more to do with general security.This boils down to how you are storing, transmitting, and encoding you passwords. There are many tutorials on how to do this well. Also, how well you secure your session cookie. Again, many good articles on this. Lastly, use SSL. Most up to date browsers won't even display a web site without one if it has any sort of security form on it.
i have a 'working' login form which validates and uses bound variables.
My site now is almost ready (content wise) to be put online so im now coming back to the login process as i want that 100% before releasing to public.
I want to have a remember me function, but cant find any help / tutorials on going about it via a database. I read a post here while back that said the best way was to store hashed values in DB and check it against a cookie.
I cant find this post anymore and googling returns old code or simple cookies for the function. I can find various posts talking about the area, but no code i can view andtry ti implement.
I want to learn the 'proper' way to do this so just need pointing in the right direction.
As well as this, i will create a delay timer on incorrect attempts and also use some hidden fields. But the remember me comes first.
Thanks, Craig.
Using cookies and checking the value in the database would be the best approach. There are many tutorials of how you can make such a function. this post seems to cover what you need to know.
As mentioned there, you need to remember that a remember-me cookie can't be 100 % secure, so when the user logs in with the cookie and is about to edit some very sensitive information, a re-login should be required.
I have created a login page using the logic show in the video http://www.youtube.com/watch?v=hAkKC8DKN9A but unfortunately after doing the whole code in one of my sites using the same logic and hosting it our office server i realise that this particular code doesnt work in medium level Internet security in Internet explorer .
The problem is while passing of variables to another page using session, i figured out that variables stored in session is never passed which is the most important thing in my code . I dont face this issue in mozilla and google chrome .
Is there any way of passing variables stored in session to work in medium level security in intenet explorer using the same code shown in the video.
Thanks
I've been thinking about this stuff some more and I've been searching the web for some tutorials for login system, but I can't find one that covers everything appropriately. I think it would be better to just read up on every aspect of it individually.
For instance; most of the tutorials I've seen don't even know the difference between encrypting or hashing. The one you've used even uses md5(md5($pw)); to make "better encryption", just thinking of production code that actually uses this makes me cringe.
So what I think you should do is think about what kind of stuff do you need for a good, safe login system. Ask questions like; "How do I store passwords safely?", "What is the best practice for redirecting a user?", "What is SQL injection and how can I prevent it?" and "What is the difference between GET and POST requests and when should I use which one?". If you try to get an answer to these questions one by one you will find much better answers. Then, with a good understanding of how this stuff works it will be easy to piece together a safe and user-friendly login system.
I have a website/webapp where you can login and it starts a php session.
If a user adds the site to their homescreen they have to log in every time they start the app.
I know this is a well know issue but I can't find a good and complete solution. I want the users to be able to open the app and if they have been logged in before they should become logged in from start.
I have read a bit about local storage which seems to maybe be something but I'm worried about the security issues of storing something locally. I don't want an user to pose as another. Maybe you can encrypt the stored values somehow?
Does anyone know how I can solve this?
Seems obvious.... is there a reason you haven't tried Cookies?
Store the session data in a database on your server, with some sort of hash, then simply pass that hash to the user in a cookie so they can retrieve it when they get back to your site.
I’m trying to find a lightweight PHP session handling library, i’ve googled and fallen into confusion.
I want a library that stores sessions using MySQL
allows kicking out of logged in user
does ip matching
browser matching
secure to session hacking etc.
Any ideas?
If you're familiar with MySQL and PHP it's rather trivial to write your own session handler.
http://php.net/manual/en/function.session-set-save-handler.php
It may be faster to write a personalized one than searching for exactly what you want.
You could have a look at this article by Chris Shiflett, which describes making changes to session_set_save_handler().
You may want to check out this class that I made a while ago... it does everything that you say expect for kick a user out, but you can mae a function that does that in 5 minutes (just call the delete method with the user id that you want to kick out).
It still needs documentation and some tweeks here and there, but you can give yourself an idea of how is done.
I wouldn't relay on user's IP for security, if they're using rotating IP (some cellphones companies) or they're behind thor or something you're going to have issues, use user_agent instead.