i have a 'working' login form which validates and uses bound variables.
My site now is almost ready (content wise) to be put online so im now coming back to the login process as i want that 100% before releasing to public.
I want to have a remember me function, but cant find any help / tutorials on going about it via a database. I read a post here while back that said the best way was to store hashed values in DB and check it against a cookie.
I cant find this post anymore and googling returns old code or simple cookies for the function. I can find various posts talking about the area, but no code i can view andtry ti implement.
I want to learn the 'proper' way to do this so just need pointing in the right direction.
As well as this, i will create a delay timer on incorrect attempts and also use some hidden fields. But the remember me comes first.
Thanks, Craig.
Using cookies and checking the value in the database would be the best approach. There are many tutorials of how you can make such a function. this post seems to cover what you need to know.
As mentioned there, you need to remember that a remember-me cookie can't be 100 % secure, so when the user logs in with the cookie and is about to edit some very sensitive information, a re-login should be required.
Related
What is the best approach if I've to use an LDAP authentication - which isn't in my control - but after it's successful I'd like to make some pages available to a set of users? Do I have to store the selected users data somewhere?
It's hard to give concrete advise whithout knowing what you already tried and did. So it's a fairly broad question I can't give a concrete answer to.
But I can give you some hints as to where to look for more information:
You will need to do authentication against LDAP. There are a lot of examples around on the web.Which one you use depends on whether you are using an framework or want to solve it with plain old PHP. One - but by far not the only - example can be found here.
You will need some form of authorization whether the logging in user is allowed to see those pages cor not. You can euther do that by storing a lit of usernames that are allowed to see the pages or by using a certain LDAP-group whose users are allowed see the pages.
Whether you store the user-informations persistent in a database or in the session depends on the use-case. I wouldn't store the user-information persistently but simply in the users session after the user logs in. But as I said, that depends on the use-case.
I hope that helps somehow.
Cheers
So I'm looking for the best advice on how to tackle a problem. I wanted to allow my members to be able to stayed logged in on devices when they checked "Keep me logged in". But after researching I found out that cookies would do it, but it's not secure.
So my second idea was instead just remember the page they were on and go back to it after logging back in. Simple enough. More secure(theoretically).
But the only way I can think of is by making a table in the database that records the current page the member goes to, and updates it each time the go to a new one.
Is this the best way to approach the solution, or are there any better ways? I'm open to all suggestions, and could not find any solutions elsewhere in the forums. (I'm using PHP and MYSQLi)
Your best bet is to use a combination of cookies and session to do this. Or even secure cookies. Check out this link.
https://en.wikipedia.org/wiki/Secure_cookie
try to use one of the function in this guide.
DOM Storage Guide
i never tested it but i what think you need is the localstorage.
or this Using IndexedDB
I am looking to be able to have my Cordova/PhoneGap 3.0 app, connect to a database and retrieve user information given a particular username to query data for. Then I also want to store the returned information on the device for future access.
I imagine that I would need to pass the uername and password entered in the app, to an AJAX post method, that links to a php script that takes the input and queries the database, then returns the information I need... But im not sure as to how I will go about doing that because I've never used AJAX post methods to a php script to return information.
As for storing it, I have heard that there is somewhat of a SQL database present on the phonegap cordova framework? I may be wrong on that one, maybe it was a hack I saw at some point, but I am just looking to see how I could go about storing and calling upon stored variables in the applicaion.
Any suggestions or help would be greatly appreciated!
Thank you in advance!
I haven't done this with PhoneGap, but I've done some work on something similarish using another cross-platform mobile framework, so I thought I'd add some comments --
First, I don't think storing the returned data on the device is necessarily a good idea, because if the data can be edited, how will you make sure it will stay in sync with the server? Easier just to re-obtain it when you need it.
Secondly, when I did this, I ended up writing an actual login API in the PHP script that would return sessionID, which would get stored on the phone, then I could send sessionID back when the logged in session was required to avoid saving passwords (and what if password changes after they enter password?) or repeatedly asking for passwords.
Thirdly, I'm not sure how PhoneGap works, but I had difficulty getting it all to work together due to cross-domain request problems (especially with post.) You'll probably at least have to part of what I did, which is add headers to your php scripts:
header('Access-Control-Allow-Origin: *');
header('Access-Control-Allow-Headers: X-Requested-With');
Forth, I recommend looking into Restful. You'll probably at the least want your PHP to return the results in json.
I guess this is more of just a personal preference questions, but I'm really concerned with performance. I'm working on a little project and one thing that people can do is RSVP to events. Now I know the option that people choose (attend or not attend) must be stored in a database, but to make the site look a little better, I also want the button that allows someone to attend switch to not attend when they click it.
At this point I'm thinking of three options, either query the database, figure out if the person is attending, and display the appropriate button. -OR- I could save the information in a cookie and just pray that the user doesn't delete the information. -OR- I could save the information in a cookie, if the cookie is present then display whatever the cookies says, if not then query the database. Option 3 seems the best to me.
I always kind of inspect major sites and look at some of the techniques they use. They tend to keep the cookie count under 20. Is there anything bad about option 3, or is it the way I should go. Thanks!
If you use cookie, you can expect that there is some other person who uses the same machine, the same user account, the same browser, the same settings. There can be also a person who uses different browsers. There can be also two persons who share two computers.
If the users log in you can use sessions, it is cookie, of course, but you can identify the user, so he knows "it's not me".
And about performance: if you set your cookie, it takes also time to get it and then send it, via http headers and responses. But the best idea would be to benchmark this. Because of the small time to access db and for the reasons I stated before, I would use the db.
Store it in the db. If the user logs in on a 2nd machine and changes the status, the wrong status will show when they go back to the 1st machine.
Without the details on how people access the site, whether they are logged in or not, it is hard to say but I would agree with you on the 3rd option - query the cookie first if there i nothing, query the database - which works as long as no two people use the same computer session.
Another option that may work (or not depending on your web app) is to have individualized links. This can work nicely if people come to your site from email links with a url similar to this http://example.com/[eventid]/[uniquecode]
I’m trying to find a lightweight PHP session handling library, i’ve googled and fallen into confusion.
I want a library that stores sessions using MySQL
allows kicking out of logged in user
does ip matching
browser matching
secure to session hacking etc.
Any ideas?
If you're familiar with MySQL and PHP it's rather trivial to write your own session handler.
http://php.net/manual/en/function.session-set-save-handler.php
It may be faster to write a personalized one than searching for exactly what you want.
You could have a look at this article by Chris Shiflett, which describes making changes to session_set_save_handler().
You may want to check out this class that I made a while ago... it does everything that you say expect for kick a user out, but you can mae a function that does that in 5 minutes (just call the delete method with the user id that you want to kick out).
It still needs documentation and some tweeks here and there, but you can give yourself an idea of how is done.
I wouldn't relay on user's IP for security, if they're using rotating IP (some cellphones companies) or they're behind thor or something you're going to have issues, use user_agent instead.