Secure login and security page check best practices with PHP -
would peoples views on following:
- is good/best practice query database every secure page on website salted , encrypted code check between session / cookie , database value?
or
- is good/best practice rely on salted , encrypted sessions , cookies (where both key , value both salted , encrypted)?
so user id , access level either picked out of database on every secure page or encrypted session / cookie value pair.
conclusion
this have chosen do:
login
- validate username & md5(password) in db , correct
- start session
- session store encrypted key & value pairs for: user_id, admin, access_level
- create access key joining remote ip & remote user agent & config encription key, encrypt each, join strings , encrypt again
- store value in both db , session key encrypted
- user logged in
for page validation:
i choose 2 levels of page user access validation:
- low priority secure tasks eg details listings, upload image, select queries mostly
- high priority secure tasks eg delete & update
low priority page check:
- simply check existence of encrypted session keys , values user_id, access_level & existence of access_key
high priority page check:
- query db session access_key match , re-set session values user_id, access_level
additional:
i add ip recording feature track ips in db login attempts , if login fails ip on 10 times, ip gets banned.
certainly not cookies. session cookie should meaningless pseudo-random blob of gobbledygook. gobbledygook id of session stored server side. session data can stored in database or in filesystem (which default php sessions). authenticate user once stored credentials, open session him , store user id , whatever else need in session. user identified , authenticated meaningless session cookie , data belongs it. no more, no less.
there argument made checking whether data in session still in sync database though. say, user has "access levels" , store in session when user authenticates. change user's access level in database; session still have old copy of data , user still able access levels may not allowed anymore. it's how want verify data against canonical database store.
Comments
Post a Comment