About member logins on website using PHP; What to think about?
I have a classifieds website, and I am about to create a members login section of the site.
I don't need anything advanced, just secure!
This is what I need in terms of functionality:
- Website beeing able to recognize members so they don't have to login again (remember me)
- Changing of their passwords and profiles
- Logout page which removes the "remember me" so that website doesn't recognize next visit as "logged in"
- Users beeing able to navigat while still logged in (kind of like the first functionality with "remember me" feature)
This is what I am thinking:
Create a MySql (I use MySql btw) table which contains Usernames, passwords etc.
Then create a "SESSION" in PHP and set a cookie to remember the user. This cookie will have something like this value in it:
md5(IP.username.secret_word)
which I compare on top of each page so that the user is in fact the same user.
Next I need a logout page, which I am thinking of just deleting this cookie and destroying the session. Should be enough?
As for the still logged in feature, I will use the same method as the first remember me, which is to check for the cookie.
Is there anything I need to think about before doing this?
Sql injection, hacks, security flaws?
This isn't a bank or something which needs alot of security, but I would feel much better knowing it isn't easy to hack it.
One thing I am not sure about is the Session cookie. Is it any different from a regular cookie? Is it this cookie I should set when I use the "remember" feature?
Also, another last thing: If say 100 users are logged in at the same time, it means 100 sessions are running, will 开发者_运维技巧this slow down the performance of the website? (guessing yes).
Correct me, give me advice and information on how it is best done?
Thanks
My recommendation would be to avoid attempting to re-invent this particular wheel. Good security is hard to do, but there are some excellent libraries available to do the job for you, e.g. Zend Auth.
you should look at implementing openID - http://openid.net/
Is there anything I need to think about before doing this?
Sql injection, hacks, security flaws?
Yes. Do you really expect us to explain how to avoid all of these?
md5(IP.username.secret_word)
Don't use the clients IP address in any way as an identifier. While the approach you suggest would not be undermined by multiple users connecting via the same proxy, it won't work for users behind a cluster of load-balanced proxies.
I'd certainly recommend using separate cookies for the session and 'remember me' functionality (former should be a session cookie, latter with long expiry, both with HTTP only). Reasons should be obvious. Don't invent your own method for naming session cookies - they are random for a reason. For preference implement at least the login page over SSL and set the secure flag on the remember me cookie. (Which means that in the absence of an authenticated session you'll have to redirect to an HTTPS page to check the RemeberMe cookie).
it means 100 sessions are running, will this slow down the performance of the website? (guessing yes)
Yes, of course it will - but the difference will be so small that you'll not be able to measure it until you get to 10,000+ sessions.
You're almost there.
Just encrypt(hash) the password before putting into the Database. When users forget their passwords, you can't give them the original ones, so generate a random password for them and let them change it afterwards.
You could use SSL or another safe surfing method while they are on the login page.
You could limit the login to 3 try's in 5 mins, CAPTCHA, or something like that, to prevent automated bots.
Log ip, time and login try's and other things in DB for future investigation.
Use Mysqli or some other OOP method for DB connection and query's for possible injection hacks.
精彩评论