login - Whats the best way to do user authentication in php? -


I'm just writing 2 cookies, 1 in which the user ID is, and 1/2 of the SH1 hash is password ( Salty) The way it works, it is self-evident.

I realized that I was not doing it the safest way. What is a better way to do this? Preferably using a single authentication cookie.

Also, is there any point in using "hard to calculate hash"? That means, using bcrypt, or husing 10,000 items with whirlpool each time, it has to do (relatively) slow hash function (less than 1 mS vs. 1 ms only) SHA1? I mean that someone violates your DB and takes the senses ... what's left there to protect it, because all your data is in one DB (unless you have some type of D- Centralized setup is not what I'm not). / P>

Store session IDs in the cookie, and log on to the user's status server side (logs) In, user id, ip).

To illustrate what you need to store in the session array:

  • Login: A Boolean variable about which user login Yes or No . You can reuse the same cookie for multiple sessions so that you remember the user's username the next time they come to your site.
  • userId: User's uniqe id in the database. Use this to get more information about users like usernames, emails etc. Even after the user is logged out, it can be placed in the session array.
  • IP: To prevent someone from stealing and using the session ID, you can also store the user's IP. This is optional, because sometimes you want to allow the user to roam (for example, the Stavekfl flow allows me to change the IP when allowing me to go with my laptop without logging out).
  • lastPing: The user has finally seen the timestamp. It can be used instead of the cookie expiration date. If you also store the session's Lifetime , you can log out the user due to inactivity. This means that the session ID cookie can be stored on users' computers for a very long time.

When the user logs out or logs out due to inactivity, then you only set logged to false. When the user logs in with the correct username and password, then you really set loggedIn and update other fields (UserID, IP, Lifetime). When the user loads a page, you can check the current time and the last ping with

The session data can either be stored in the filesystem or database if a database is stored in the userId user record is a foreign key, or all the data can be kept in the user's records. .

hashing

A value is not a good idea again several times because you use salt instead, a permanent salt (the name of the page for example) and the user's user With the name, with password. A hash that takes longer, is not better than fast hashes, a hash that is better than a hash as a result of large digestion, resulting in less digestion (due to brute force) using SHA1 is a normal site ( IE, a bank or a secret military organization) should be enough.


Comments

Post a Comment

Popular posts from this blog

sql - dynamically varied number of conditions in the 'where' statement using LINQ -

I am using my first project LINQ (in mvc), so maybe there's something very simple that I remember. However, a day of searching and experimenting does not work, so it works. I am trying to write a LINQ query (Linux to SQL) in which in many cases where the statement is different from an OR or an AND. We do not know how many conditions are going in the query till runtime. This search is for filter control, where the user can choose multiple criteria for filtering. Select from table where table.col = 1 or table.col = 2 or table.col = 7 .... 'Other number of conditions Before I just create the SQL query as a string, while looping over all the situations. However, it seems that there should be a good way to do this in LINQ. I tried to use Expression trees, but they had a second thought for this moment on my head, where the lambda function was to be executed inside the statement such as: values ​​for matchingRows = matchingRows for each value Where (function (row) row.c...
Read more

asp.net mvc - Dynamically Generated Ajax.BeginForm -

I have a problem with ASP.NET MVC Ajax forms. I generate many Ajax form in a table such as: & Lt; Input type = "submit" name = "activity" value = "add activity" / & gt; & Lt;%}% & gt; & Lt; / TD & gt; & Lt; / TR & gt; & Lt;%}% & gt; So far so good. When I post one of those forms, it gives a partial view in a div, and in this new partial view a new Ajax Beginnform (which is not in Genesis form) This second Ajax Beginnorf is exactly like the ones I got on the table, but when I post it, I do not get the "Ajax Post", but a normal post that sends me to a new page, I do not know whether the two Ajax forms What is the reason for the difference between, why is it the "dynamically generated" Ajax form behaves like a normal HTML form? By the way, I know that I can do it in different ways using javascript, but I would like to understand whether it can only be done using MVC helplars and Ajax lib...
Read more

Debug on symbian -

I am using trk for phone debug This works well for the Holorld project But when I start the project in phone debug mode 1) the load failed 2) TrkProtocolPlugin: to target the specified file Failure (please verify If any body understands what problem I am experiencing, then this problem helps me Pre-release If the application has the privileges assigned (with the appropriate certificate) itemprop = "text" > In your case, I will check: / li> If there is no conflict of application ID with any other application of device If there are problematic commands in the installation package (for example copy copy for non-accessible directories)
Read more