how to implement a login system for web apps?

I'm writing a login system for a website I'm building.

Here is the essence of how I'm implementing the login system:

I have two tables: users, and sessions.

   users: uid | uname | pass
sessions: sid | uid | ts | ts_expires

So the user enters a uname/pass combination.

• if the combination i开发者_如何学Cs incorrect, I redirect to a "bad auth" page.
• if the combination is correct, I:
  • generate a random sessionid (sid)
  • insert a record into sessions associating that sid with the uid of the username supplied.
  • set a cookie named sid with the value of the random sid just inserted into sessions.

On each page that needs the user to be logged in, I check:

• whether the cookie is set
• if the sid is valid

So my questions are:

• What could be potential problems with this mechanism?
• How should a good login system be implemented?

PS: I don't use SSL secured login yet. So that is the only problem I spot, as of now. And oh, I use php and mysql, if that is relevant.

EDIT: I store the passwords not in plaintext, but as an MD5 of the username concatenated with the password.

So, pass = MD5($uname.$pass), so to speak.

Hash that password, with a salt! Use a strong hash like bcrypt. If you have to use MD5/SHA use a technique called stretching and hash it's hashes several thousand times. The user won't care if it takes a second to check his/her password instead of 1/1000, but a brute force cracker will.

Record attempts and prevent brute force attempts.

Be very cautious of where you store the user's credentials once he logs in. You don't want them changing it.

And use SSL!

To slow down a brute force attack, put in a forced delay after a failed attempt; that is, if someone gives you the wrong password, wait three seconds before displaying the next screen with "password failed".

It's generally good practice to store the password as a salted one-way hash of the actual password rather than storing it as cleartext. You haven't stated if you do that or not, but if not, do it.

Make sure that the login has a timeout period, so it won't last forever.

Make sure that the cookie is deleted on logout.

Don't forget that the user may be logging in from a public computer and that storing login credentials as a cookie could result in a subsequent user gaining access through an abandoned session.

Designing and implementing a secure, robust, usable login system is actually pretty difficult to get right on the first try. Pages upon pages have been written about this topic - far too expansive to treat properly, here.

A good starting point is www.owasp.org. Then engage someone you work with that is knowledgeable about security, contract with a security company (such as www.matasano.com, veracode.com, or neohapsis.com - I've worked with all three, and all three are very good), and/or ask questions on security mailing lists (like the web application security list listed on securityfocus.com).