Absolutely secure

Anon

I need a absolutely secure login system.
(About a month ago, I commented on the secure login system presented on this site stating that this one would not be 100% secure. Reasoning is repeated below)

Plz help me think about this one...
user needs to be able to stay logged in if active enough (let's say, transaction every 5 minutes)
if inactive, log user out.

I use the following method:
login, get a session id (unique normal timestamp-id, see function in manual), stored in a cookie. insert data about session in table (session id, login time, ip address, user id).

On every pageload, I check the cookie-value of the userid against the value in the table, check whether the login time isn't more than 5 minutes ago and if the ip-address is the same.

Only if you have a match, you are allowed to see the page.

Does this seem 100% secure?

Does anybody see ANY way of cheeting?
Thx for your cooperation !

-- why the secure system on this site seems insecure --

using 2 cookies, it's quite easy (it seems) to copy those two cookies from somebody's computer and use them for your own purposes. One can spoof them on the net or just copy them (I program this site for public terminals) to a disk. Changing (it's only a textfile?) the expire-time would even make it possible to keep on using the cookie for ever... login in as being somebody else.

Am I wrong? I admit, it's pretty secure, but not the 100% I'm looking for, is it?

Anon

Tim wrote here an article about it few weeks ago.
You can have a look... the trick was a public/private key like system, crypted with the md5() function.

I hope it helps.

Anon

Yep, that's the article mentioned above, with the critisism that it isn't absolute secure.

Anon

Yeah, he looked at the article apparently. As I told him, the only way to prevent the cookie from being copied to another machine is to use SSL.

My login doesn't have the feature where it logs you out after so much inactivity. It wouldn't take much for him to program it in though (requires re-setting the cookie every page view).

Anon

I know, use SSL you said. Does SSL prevent users to copy the cookie from the machine to a disk, if they have access to that machine? Not all people have a computer of their own!

Anon

SSL may not prevent the theft of the cookie(don't know for sure as I avoid cookies like the plague) but SSL will keep your passwords from being sniffed over the wire. Any form data submitted over the web on a non-SSL encrypted session is transmitted in plaintext. If someone has a valid username/password combo there is nothing to prevent them from simply logging in as that user, your system cannot tell the difference.
Have you found any other holes in the system? I am using a similar system but without the cookies and was also wondering if there was a hole in the process.

Anon

I will indeed have to look into SSL, since simply sniffing username/pass combination would be a big problem. However, this has nothing to do with cookies.

At this very moment, I haven't found any other holes in the system, nor heard of any. How can you use this system without cookies?

Anon

True, I didn't mean SSL being any part of cookies, just that if you are looking for security SSL is a must.
As far as my doing the same without using cookies, I pass the session hash around on the URLs and check at the start of each page for the session hash. I use the same technique of storing information in a table and use that to check the time and sessionid, as well as the ip address of the client, just to be sure. I just have something against cookies so I try my hardest not to use them at all. It works very well for me.

Anon

Tim or anyone,

You have posted some code in the Code Library which contains a bunch of authentication functions. But nowhere, can I find the "wrappers" for these functions. -I would like to implement your code, but without the .php pages to call the functions properly, I would be afraid of making an error in my security.

Do you have the complete set of authentication files posted anywhere? -Also, was this issue ever really resolved with regard to a good and a secure authentication system?

Please let me know as I am planning on doing an entire re-write of my system. I want a strong foundation with good authentication, enabled right from the start.

Thanks,
-Chris