I'm developing a login and authentication system for a new PHP site and have been reading up on the various attacks and vulnerabilities. However, it's a bit confusing, so I want to check that my approach makes sense.
I plan on storing the following data:
In the session: user-id, hashed + salted HTTP_USER_AGENT
In the cookie and in the database: random token, hashed + salted identifier
On every page, I plan on doing the following:
If a session exists, authenticate using that. Check that the HTTP_USER_AGENT
matches the one in the stored session.
If no session exists, use the cookie to authenticate. Check that the token and identifier in the cookie match those in the database.
If the cookie is invalid or doesn't exist, ask user to login.
Are there any obvious flaws in this? As long as I set a timeout in the cookie, I should be fairly safe, right? Is there anything I'm missing?
Many thanks in advance.
A few random thoughts :
HTTP_USER_AGENT
is a good first step to prevent session hijacking, but maybe you could combine it with the IP address ? It is far more difficult to be on the same host than your target than to simply use the same browser.But in any case, thanks for taking the time of thinking about a good authentication scheme. A lot of PHP developers don't.
EDIT: for the record, let me clarify a point here : there are two cookies in this discusion. One being set automatically by PHP to propagate the session ID (sometimes, we see websites putting it in the URL, eg www.example.com/page.php?sessionId=[...]), and the second one created by you in order to store the user credentials and authenticate him when the session is lost. The XSS attack applies to both, ie an attacker could either steal the session cookie and hijack the session (which has a limited lifetime), or steal the credentials cookie and authenticate later.
there shouldn't be. the php session is stored on your server not the user. php simpily leaves a session cookie pointing to it. if you're not on shared hosting the session doesn't even have to be hashed.
joe
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With