What is most secure way to log users in?

Tom_Tees · 2010-06-06T18:29:40+00:00

What is the most secure way to... Log in a Customer Keep the Customer logged in Restrict what Visitors (not logged in) and Customers (who are logged in) c...

What is most secure way to log users in?

Tom_Tees

What is the most secure way to...

Log in a Customer
Keep the Customer logged in
Restrict what Visitors (not logged in) and Customers (who are logged in) can see on my website?

(The book I'm finishing up - which I trust less and less - says to store the CustomerID in a session.)

I want something that is very hard to hack because I don't want the wrong person going to the wrong place on our website.

Tom Tees

sneakyimp

Get an SSL cert and install it on your server so that you can host pages securely. Your cert should be properly signed by a reputable certificate authority.

construct a form that forces itself to be displayed using HTTPS:

<?php
function ForceHTTPS()
{
    if( $_SERVER['HTTPS'] != "on" ) 
    {
       $new_url = "https://" . $_SERVER['SERVER_NAME'] . $_SERVER['REQUEST_URI'];
       header("Location: $new_url");
       exit;
    }
}
?>

the form should accept a user login and a password. the password should be collected with a form input with type="password" so the password is not displayed.

when the user submits the form, you check their username and password against your database. the database would ideally only permit access from localhost. this limits the ability of hackers to explore the database. the database is how you control access to certain pages.

your statement that checks the database should properly escape (e.g., mysqli_real_escape_string ) any user input submitted in the form to prevent sql injection -- or you should use prepared statements which handle this for you.

the database should store a hash of users' passwords rather than the actual password. The passwords should be hashed using [man]md5[/man] or [man]sha1[/man] after they have been salted.

if you find a valid record for a given login and password, call [man]session_start[/man] and set a value in $_SESSION which indicates that the user is logged in. If you want to be extra secure, you should probably use a database to handle sessions. PHP permits you to alter the default session handling with your own functions. If you don't bother doing this, session values are usually stored in a file on disk in the /tmp directory. In a shared hosting situation, this can present security problems because other users of the same server might be able to sniff around your files and see what's in them.

storing customer id in a session sounds like a good idea.

Tom_Tees

sneakyimp;10954632 wrote:
storing customer id in a session sounds like a good idea.

Thanks for the response. (Most of that was over my head?!)

I guess what I was wondering was more how you manage who sees what pages.

Let's say you - a Customer - log in using the methods you posted and I log you in. Now let's say that you navigate around your "Customer Profile" and then you shop some and then you go to "View Order History".

The 1st and 3rd areas should be only accessible by you, while anyone can shop (i.e. Visitors, Logged-out Customers, Logged-in Customers).

How are I ensuring someone doesn't go where the shouldn't be allowed?

And how do I handle switching from HTTPS to HTTP to HTTPS areas?

(I remember reading in a book last year that you have to be careful that Users can't get to a "secure" page from a "non-secure" page and visa-versa by some back-door.)

Not sure if I'm making any sense?!

TomTees

sneakyimp

Two manage who sees what pages, you need to give each page (or page section) some kind of unique indentifier that you can store in a db table (let's call that table 'pages').
PAGES:
page_id (unique int id)
page_text_id (perhaps to be used in your PHP code, something like CUSTOMER_PROFILE)

Then you need to use a lookup table to either assign permissions directly from a user to a page (which means you'll have a lot of records in this table probably) OR you use this lookup table to assign permissions from a user type to a page. A user type might be admin, moderator, technician or pee-on or nobody or whatever. Admins might have access to all pages. Moderators might have access to particular sections of the site. etc. Let's have a table called user_types and one called user_type_page_assoc.

USER_TYPES
user_type_id - int primary key
name - varchar 50 or something...holds stuff like "admin" or "moderator"

USER_TYPE_PAGE_ASSOC
user_type_id - points to a user_type record
page_id - points to a page record

And then finally you'd store a user_type_id for each user.

Then in each page (or page section) you'd have to run a query to make sure that the current user's user_type had a record in USER_TYPE_PAGE_ASSOC for the current page.

The way I have dealt with getting https in the right spots and not where you don't need it is to create a file called something like _top.php which i [man]require[/man] in every single page. By default, this file would prevent HTTPS from being used so that we conserve server resources. If, however, a particular constant is defined as true, then I would force https.

// define PAGE_REQUIRES_HTTPS to be true to force HTTPS
if (PAGE_REQUIRES_HTTPS == true && $_SERVER['HTTPS'] != "on") {
  $new_url = "https://" . $_SERVER['SERVER_NAME'] . $_SERVER['REQUEST_URI'];
  header("Location: $new_url");
  exit;
}
// if PAGE_REQUIRES_HTTPS is not true and https is on, let's redirect and turn it off
if (PAGE_REQUIRES_HTTPS != true && $_SERVER['HTTPS'] == "on") {
  $new_url = "http://" . $_SERVER['SERVER_NAME'] . $_SERVER['REQUEST_URI'];
  header("Location: $new_url");
  exit;
}