What is the best way to securely authenticate a user ? (session, cookies, php, mysql)

Question

What is the best way to securely authenticate a user ?

So far I was thinking of:

Generate a random $SALT for each successful login and store $logged = md5($hashed_password.$SALT) into database; delete on logout.
Store $logged into a cookie (If user checked "remember me"). Set $_SESSION['user'] = $logged;
On a visit: Check if $_SESSION['user'] is set; if not, check for cookie, if data doesn't match, redirect to login page.

What are the risks ?

http://stackoverflow.com/questions/549/the-definitive-guide-to-website-authentication#477579 — sdadffdfd, Mar 14 '11 at 07:15
There is still the problem of: what if the user deletes their cookies? — Krii, Feb 10 '16 at 13:14

score 2 · Accepted Answer · answered Mar 14 '11 at 05:30

The only issue I can see with your existing framework (which I like otherwise) is that there is the possibility of collision for $logged.

It is not mathematically impossible for two valid user log-ins to result in the same hash. So I would just make sure to start storing the User id or some other unique information in the Cookie as well.

You may also want to keep a timestamp of when the $logged was put in the DB, so that you can run cleaning queries where they are older than x days/weeks.

the collision is not a problem as I can check the database before saving it, and generate another salt, until I hit an open spot. Thanks for pointing that out. — sdadffdfd, Mar 14 '11 at 05:37

score 1 · Answer 2 · answered Mar 14 '11 at 05:15

1

The first step is a bit overkill, as this is what $_SESSION['foo'] basically does client-side for the lifetime of the session. I'd just store a salted and hashed password for each user to begin with, salting with the date or other pseudo-random factors.

Setting the cookie might prove useless if the user clears their cookies, or the session expires. This will leave the user logged in (according to your database) when in reality they're not.

I'd stick to just $_SESSION['foo'] and cookies and leave the database out of the login process.

answered Mar 14 '11 at 05:15

Blender

289,723
53
439
496

How would you authenticate a user and "leave the database out of the login process" ? You kinda ... have to check his password somehow.., check if user is logged in on a computer on a second visit and fetch the user's info once he is authenticated... – sdadffdfd Mar 14 '11 at 06:54
You were mentioning that you wanted to store hashed and salted passwords temporarily within your database and the delete them. You'd still need to have the passwords (salted and hashed, I assume? If not, I'd just use `md5(username + password + global_salt)`) in the database, but don't use the database for temporary things like this. That's what `$_SESSION['foo']` is for. – Blender Mar 14 '11 at 16:37

score 1 · Answer 3 · answered Mar 14 '11 at 06:15

1

First No need of doing

Store $logged into a cookie (If user checked "remember me")

Starting the session should be the first thing you should do place session_start() on top of your index.php (file which gets executed) . This way a cookie name "phpsessid" gets created on user browser by default independent of weather user is logged in or not . value of this cookie is unique by which you can identify the user after he logs in. So you dont need to create any other cookie for this purpose.

answered Mar 14 '11 at 06:15

Mr Coder

8,169
5
45
74

so.. what happens if user checks "remember me", logs in and restarts the browser ? I think he'll get logged out – sdadffdfd Mar 14 '11 at 06:18
yes you are correct browser deletes the cookie phpsessid (by which php identify the user), you can do it manually to test delete "phpsessid" and you will be loggout on refresh. – Mr Coder Mar 14 '11 at 06:21
exactly :) .... I assume that, if a user checks "remember me" he wants to log in once, and stay that way for hours, days, weeks.. until he decides to log out. I don't see any other approach but storing a unique token on the user's machine. – sdadffdfd Mar 14 '11 at 06:24
no not exactly , google , facebook also forgets the user if you restart the browser even after you checked "remember me" – Mr Coder Mar 14 '11 at 06:28
1

No, they don't. Check your browser's settings, maybe you are deleting all cookies upon exit – sdadffdfd Mar 14 '11 at 06:30
That is correct, I login to facebook and stay logged in for weeks on in – JasonDavis Mar 16 '11 at 22:48

score 0 · Answer 4 · answered Aug 23 '13 at 20:35

0

One problem I can see - your solution sounds annoying for people who load your site in multiple browsers at the same time.

answered Aug 23 '13 at 20:35

Tim Lovell-Smith

15,310
14
76
93

score 0 · Answer 5 · answered Mar 14 '11 at 05:58

In first point you have mentioned It create random SALT string when user logged in and clear it when user log out.

Main problem is you have to check SALT string is exist or not in each redirection of page. So it create heavy traffic in Database server.
Yes this is very useful for checkout user already logged in or not.
But in case of power failure in client machine after log in when Salt string remain in database after long time.

In second point to user authentication in cookie it is not secure. Client can easily show authentication cookie in browser

In third point to store authentication in session it means create session variable on server side and store it in file on server side. It is very secure then store it in cookie.

The best way to authentication is combine point number 1 and 3 which you mention.

You can check user already logged in form other pc or not?
You can easily clear SALT string if session is not exist.
You can easily manage Login in case of pc power failure

What is the best way to securely authenticate a user ? (session, cookies, php, mysql)

5 Answers5