/    Sign up×
Community /Pin to ProfileBookmark

user authentication – (please point me in the right direction)

Copy linkTweet thisAlerts:
Mar 17.2009

Hi,

I am starting to think about user authentication.

I need to have members login to a secure area of the site with multiple levels of access inc my own admin level. (probably 3 levels)

What is the most flexible / secure way to do this?
Is checking the user & pass against the DB and storing the access level in the session secure?

I would greatly appriciate your help.

joe

to post a comment
PHP

2 Comments(s)

Copy linkTweet thisAlerts:
@StevishMar 18.2009 — Just so you know, this is a HUGE can of worms to open. Security is probably the hardest thing to keep track of because it's never 100% secure (just like anything in life). I read one place that having good security is not about preventing every attack, but about slowing down the attacker enough that you can stop them before they get any valuable information and/or quickly fix whatever they screw up.

You may have to google around for the different types of things you want to do, but here's a list of things you'll probably need to implement:

[LIST]
  • [*]A secure password hashing system (using at least 2 salts... one static, and one that's unique for each user. This hashing process should be unique to your site)

  • [*]Database isolation (ie. the db user that is called by the login script should only have SELECT priveledges on the login database)

  • [*]Session Hijacking countermeasures (checking the IP address, browser info... etc)

  • [*]Encryption of sensitive information in the database

    • [/LIST]

    That's not an exhaustive list of course, but it's all I can come up with right now. As for your question about storing the user access level in the session, My login script is set up to do that, although I could never get a straight answer about how secure that is. But as far as I know about session variables, only the PHP script can change the values in them, so it's just a matter of making sure all user input is validated properly so they cannot inject anything into the code that would get written to the session variable.
    Copy linkTweet thisAlerts:
    @arkleyjoeauthorMar 18.2009 — Many Thankss for your help
    ×

    Success!

    Help @arkleyjoe spread the word by sharing this article on Twitter...

    Tweet This
    Sign in
    Forgot password?
    Sign in with TwitchSign in with GithubCreate Account
    about: ({
    version: 0.1.9 BETA 6.17,
    whats_new: community page,
    up_next: more Davinci•003 tasks,
    coming_soon: events calendar,
    social: @webDeveloperHQ
    });

    legal: ({
    terms: of use,
    privacy: policy
    });
    changelog: (
    version: 0.1.9,
    notes: added community page

    version: 0.1.8,
    notes: added Davinci•003

    version: 0.1.7,
    notes: upvote answers to bounties

    version: 0.1.6,
    notes: article editor refresh
    )...
    recent_tips: (
    tipper: @nearjob,
    tipped: article
    amount: 1000 SATS,

    tipper: @meenaratha,
    tipped: article
    amount: 1000 SATS,

    tipper: @meenaratha,
    tipped: article
    amount: 1000 SATS,
    )...