• User Auth + Sessions
    9 replies, posted
I'm working on a little php project, and I'd like to add a user system. I'm not sure how to handle storing user sessions, since my only experience with user logins in the past was simply to use $_SESSION, which doesn't allow users to "remain logged in". I'd like to know how it's handled in most other PHP software. From what I've gathered, the user has cookies containing their user name and a session ID token, which is also stored on the server. When a user visits the website, the user's token is then compared with the server's, and if the token hasn't expired, the user is automatically logged in?
Expiring cookies? Store a unique ID or their hashed+salted password in a cookie and set a suitable expiry - I guess that'd do it. [editline]01:14AM[/editline] For Remain logged in - Set cookie expiry uber long
Essentially, yes. I would recommend against storing the username in the cookie though. Instead I'd add a remember_token column to the user entries and generate/store a hash based on their last login date and the username/email/whatever. When you initially generate that hash you will also store it in a cookie, and when a user visits the site you will check their cookies to see if they have a cookie containing a remember hash, which you then check against the database. If you find the hash that was in their cookie in the DB, log them in. Also, the reason for using the login time as part of the hash is to help curb people faking cookies to gain access to other people's user accounts.
[php]<?php if (isset($_COOKIE['remember'])) { mysql_connect("localhost", "user", "pass"); mysql_select_db("database"); $q = mysql_query("SELECT * FROM users"); while($row = mysql_fetch_assoc($q)) { if ($_COOKIE['remember'] == $row['cookie']) { //Log In :D } } } elseif (isset($_POST['submit'])) { //mysql user checks if ($_POST['remember']) { // $username from mysql query $cookie = md5(time().$username); mysql_query("INSERT INTO users SET cookie = $cookie WHERE username = $username"); setcookie("remember", $cookie, mktime (0, 0, 0, 12, 31, 2099)); //December 31st 2099 should do :D } else { setcookie("remember", $cookie, 0); //0 = Cookie expire when browser closes } } else { echo "<form action='' method='POST'> Username: <input type='text' name='user'><br> Password: <input type='text' name='pass'><br> Remember Me? <input type='tick' name='remember'><br> <input type='submit' name='submit'> </form>"; } ?>[/php] That'd do it - Might be few minor bugs in it - haven't tested and just rushed :smile:
I store username and a unique login hash per re-login/logout and also tied to the IP. This way I can show pages using no db queries for the username or rank (also stored). Be careful storing rank (my permissions are stored in an array for improved MySQL performance, but that's because it's a very specific setup. When actually doing something requiring rank, you still check the DB, but for displaying 'action buttons' or whatever, I use the cookie, again, it significantly reduces required queries.
That doesn't exactly account for Dynamic IP users?
[QUOTE=SGNinja101;23342906]That doesn't exactly account for Dynamic IP users?[/QUOTE] Sticking to an IP is essential as it prevents session stealing, or makes it very difficult at least. Dynamic IP's don't change that often either. [editline]07:02PM[/editline] Oh yeah, also [url]http://answers.yahoo.com/question/index?qid=20090327141244AADmQ7o[/url] (read the first answer, your router keeps the IP till reboot, most people don't reboot their routers much).
I've seen Nick (Fizzadar)'s code, and I must say that he implements sessions in quite a creative and interesting manner.
Is this the right way to do a token based auth system? [code]BEGIN | SESSION EXISTS [YES] - LOGGED IN [NO] | TOKEN EXISTS [NO] ---- ... [YES] | | LOGIN Check DB for token, Set token based off pull ID/username/etc some user details and PHP uniqid() from matching record | [MATCH] LOGGED IN | LOGGED IN[/code]
Yeah pretty much
Sorry, you need to Log In to post a reply to this thread.