User registration, login, ect.

[Rimmy]

Hey, I was wondering, how does everyone else do their login script? I was wondering if anyone could give me any direction as to how I should make it. More importantly, how do I make it secure?

[danielOut]

Honestly, i find it much easier to go out and get a secured one somewhere on the web and integrate it in to the site. There are a lot of free ones floating about.

[Rimmy]

Even if it is easier, wouldn't you rather write the code yourself? That way, you have full control. You can do even more specialized tasks. Also, how much do you trust the free ones? Are you really willing to put all of your trust into a script you didn't write? A script that you might not have tested?

[danielOut]

Oh, of course I'll test it. Try my darnest to break it. And I do examine the code, it don't just paste it blindly. However, I often see security features in those that would have slipped by me. If nothing else, look at a few of them to get ideas. (Though if you're going to type the same thing yourself, wouldn't you just rather copy it over?)

[Rimmy]

Okay. I thought that maybe you just took the code off of some random website. -_-

[danielOut]

Oh heck no. Search through some script databases for a secure login script and look at how thorough some of them are. Way better than stuff I could do.

[Rimmy]

Do you have any links. I need all the help I can get. The place I'm currently looking at is http://www.evolt.org/PHP-Login-System-with-Admin-Features

[danielOut]

That's actually a pretty good one. I used that one in a testing phase site I did, and I couldn't bust it. Then again, I'm not some expert hacker or anything. Just tried some basic SQL injection stuff and it wouldn't take it.

[Rimmy]

So, do you know of any other good sites?

[danielOut]

http://www.skrysak.com/articles/securephp1.php is a little article on security, and a pretty good read. not a full script, but worth looking over for sure.

Also, check this one out: http://www.phpbuilder.com/columns/tim20000505.php3?page=1
The last page of the tutorial has the script.

[Rimmy]

Thanks for the links!

[JGadrow]

I randomly generate a unique identifier whenever a user authenticates and store it in a database along with the IP address (if available), overwriting any previous identifier with the same account / ip combination. I also store the timestamp for auto activity logout.

Each time the identifier is successfully used, it is regenerated and reissued, thus foiling 'replay' attacks. I do the same with session ids (which I have written a custom handler for because I hate my system being littered with 0 byte files and it's more reliable) to prevent session fixation attacks.

As far as the actual login parameters themselves, I use a hashing method on the user's password immediately upon receiving it at registration and I also hash the received password at login time and compare them. If the hashes are identical, the user has successfully authenticated.

As far as handling SQL injection, I use prepared statements with bound parameters to foil it.

Passwords are stored as hashes in the database and they are salted so two users with the same password will still have different stored hashes thus helping to retain security even in the face of a system intrusion.

I haven't yet allowed for a 'remember me' function, but it shouldn't be a terrible issue. Of course, you need to throw up the standard not responsible for you getting hacked CYA statement in case they login at an internet cafe and leave the thing logged in or whatever.

[Josh1billion]

Registration and login scripts are quite simple, there's no need to download an existing one like someone else recommended above.

As far as the actual login parameters themselves, I use a hashing method on the user's password immediately upon receiving it at registration and I also hash the received password at login time and compare them. If the hashes are identical, the user has successfully authenticated.

This is good and is what most people do.

As far as handling SQL injection, I use prepared statements with bound parameters to foil it.

Specifically in regards to this, I'd recommend looking into the mysql_real_escape() function.