Login script logic check!

GirishR

Hello all,

Pleas tell me if this is a good/secure way for a login script.

When the user submits a form with username and password the script checks for a matching username and password in the database. If a match is found, I create a session, encrypt the password for that user and store in the session. Then the user is redirected to the appropriate page with the username appended in the query string.

Also in each restricted page I retrieve the username (retrieved from the query string) and check for the password for that corresponding user in the database and compare that to the decrypted password stored in the session.

I was just wondering if this is the appropriate method. Also what is the use of carry forwarding the session id in the query string?( I have seen this in many sites which use php.). For me session works fine even without carry forwarding the session id.

Please advise.

rachel2004

GirishR, good post. One of the things you want to think about is that connection between your site's visitor (via his browser) and your web server/db. Unless you are using SSL to encrypt the tunnel, it's still possible for someone to user a packet sniffer to capture cleartext usernames/passwords.

I'm not sure what your logic is behind authenticating a user against credentials stored in the db AND then registering his password as a session variable. It should be good enough to just register his username or userID as a session variable.

One of the ways I've approached this problem is in the table I use for users, I have a column which I call "permissionLevel". In that column, I assingn a number between 1 and 7 where 1 is considered an anonymous user and 7 is considered a superuser.

I register the visitor's username and his permissionLevel each as a session variable. Then when he comes to a page that requires a user to be logged on (and have certain permissions to do something or look at archives), the logic checks:

is a username set?
is the permissionLevel number set and if yes, is it high enough to allow the user to be at this page?

GirishR

Ok rachel, good enough. But I was thinking wheater this method of checking if the username is set in session secure enough. Won't it be good enough to check the database for such a user? Even I had though of such a idea but droped it. Then came up with the idea of storing password in the session. If your method is secure enough it will be really fast 'coz it uses no database operation in pages where the authentication is needed.

Thanks
Girish R

rachel2004

Originally posted by GirishR
...checking if the username is set in session secure enough. Won't it be good enough to check the database for such a user? Even I had though of such a idea but droped it. Then came up with the idea of storing password in the session.

What do you consider good enough? For a financial institution, they may want SSL to encrypt all traffic. That might be considered good enough.

For a regular website where users can post messages, logging on and checking username/password might be good enough.

Only you can say what is good enough in your situation since you know what you plan on doing with your login script.