secure PHP login system?

Question

I've been developing a PHP-based CMS for use on my robotics team's website. Sure, there's plenty of other platforms out there, but what's the fun in that?

In all seriousness, though, we do receive extra points for being able to say that we did more than make a template for Drupal or WP. This is a bit unrelated, but I'd like to be able to release the CMS as FOSS one day, but it will definitely have to mature and be more secure. But I digress.

I've reached the point in developing this system where I need a login system. This has caused more frustration than I expected. I can be meticulous when it comes to security, and this isn't much of an exception. The problem is, I know how to take care of database security (trust no user input, store passwords as a hash with a random salt, etc), but I lack the knowledge to make a good client-server system. A few questions in this regard: How secure would it be to use session variables? How would one implement session variables correctly in this regard? Should the session cookie be regenerated at every pageview? You give up much security when using cookies to keep the user logged in for any amount of time, but what are the best practices for implementing this kind of system?

A good tutorial on this subject would greatly help, also.

Thanks for your time.

Answer 1

If you're wanting to actually learn more about the problem/solution, rather than copy/pasting somebody elses code, check out this article.

http://jaspan.com/improved_persistent_login_cookie_best_practice

Excellent resource for persistant cookie management, although doesn't give you the code, it gives you a good grounding/concept to create a more secure login system.

Of course the most secure PHP login system is one that doesn't have persistant login functionality, as user credentials are never stored anywhere apart from the server.