NYCPHP Meetup

NYPHP.org

[nycphp-talk] user authentication security structure

Mitch Pirtle mitchy at spacemonkeylabs.com
Wed Feb 4 21:24:22 EST 2004


Chris Hubbard wrote:

> No takers?

Ok, no arm twisting!  :^P

>> * will be using custom session handlers (aka Sean's article in php|arch)

Gotta pick that issue up.  Been looking at a combination of pound and 
msessions for my next biggie, wondering if there's any collective wisdom 
on this list that I could gain insight from.

>> Requirements:
>> * users can bookmark any page in the application.  When the user tries 
>> to return to a bookmarked page after the session has expired, then 
>> they are presented with the login page.  after a successful login 
>> they're redirected to the bookmarked page.

Make sure you redirect them and pass the original page's location as a 
parameter - I did this for one customer, and they were counting on their 
browser 'remembering' their login information...  But this doesn't work 
if you login from a different URL every time!  I thought I was being 
shifty, but in effect was making them crazy.

>> Flow:
>> * user enters their username and password and submits the form
>> * code makes sure the data submitted is "clean"
>> * code checks username and password against values in db
>> * if they match create a cookie that will expire in 10 (or so) seconds
>> * create a session
>> * redirect to home page or bookmarked page.
>> * at home page read the temp cookie and the session data, if they 
>> correspond create a new cookie that will expire in N minutes.
>> * when user clicks "log out" destroy the session and either empty the 
>> cookie or fill it with garbage.

Use the timestamp stored with the session - I've never seen anyone hit 
the 'logout' button, ever.

>> Thoughts:
>> I'm thinking of putting a timestamp into the login cookie, so if it's 
>> presented and it's too old, I can redirect to the login page

Bingo.  The question I have is where are you storing the session data? 
What kind of performance requirements do you have?

-- Mitch



More information about the talk mailing list