Secure Authetication with sessions

Anon

Hi,

for a session-driven CMS site, I need user-individual access to a MySQL database. On a login form, the user gives login and password, which is checked against the database. I actually hoped, that I could use only one '$dbh = mysql_pconnect' right after the login-form, and have access to that connection through the link-identifier ($dbh), which unfourtunately does not work, should it??

However, what I do now is reconnect with mysql_connect on every page, in order to refresh the link-identifier, but reconnecting means to supply username and password again, which have to be stored as session-variables. I don't feel really comfortable with a plaintext password in that sessions-table.

Here's where I need help:
1. Somebody knows a smarter method for the whole thing, without the need to store password and username?
2. Could I somehow encrypt (one-way) that password and connect to mysql?

Thanks a lot for help

Tom

Anon

1) Instead of repeating the username/password check everytime you wish to connect to the DB, try generating a session identifier (a random string of characters) that is stored in the DB along with the username and password. You can pass the session identifier between pages in the URL and check this against the DB. Its' alot safer this way, especially if the session identifier is 32 characters or more in length.

2) Use the md5() string encryption. This is a one way algorithm that allways results in a 32 charcter string, no matter how long the original string. Try:
$QUERY = "INSERT INTO table (username, password) VALUES ('$username', '" . md5($password) . "'";

I hope this makes sense!?!?

Anon

I hope this makes sense!?!?
Well, not quite 😉

I do have a session-id, which however doesn't help me a lot. What I need is a link-identifier, which you get by doing:
$linkidentifier = mysql_(p)connect(...)

I can not store the linkid as a sessionvar (with or wo serialize, no matter). So in order to get my linkid, I need to reconnect - with username and password supplied).

Storing the password encrypted qould be a good idea, but for 'mysql_connect($Host,$User,$Pass), $Pass must be a plain-text password.
What's left is encoding the password with some algorithm, store it as session variable, retrieve and decode in the script and connect to the db...anything else left?!?

Tom

Stephen wrote:

I hope this makes sense!?!?

Anon

Once the server side process has finished the mysql_pconnect link is broken. Unlike the mysql_connect, which disconnects when the query ends. So there isn't much that can be done about that.
Are you using this connection for Admin or user? The most efficient way to store user info (username, password etc) is to store the username/password etc. in a table, rather than give them access to the database. If a user has the password to the db it is much easier for them to run their own query on the db and edit the info. I usually leave the username and password in the mysql_pconnect() for the webmaster and other admin.
Try Creating a table to store all of the user info. You can then run a query from a script like:

$Query = "INSERT INTO table (username, password, ID) VALUES ('$username', '" . md5($password) . "', '$sessionID')

Then you can run a query using the session ID to check if they are a valid user. This avoids passing the username/password from page to page.

Anon

As far as authentication concerned just go to www.zend.com and check an article by Julie Meloni on Authentication.

She gives a good info on Authentication using static files or database.