User Login System

Anon

Hi,
I'm trying to write a user login system for my intranet. At the moment I have a table in my database which contains users for the site. When the user logs in, the script checks against the db to see if the user is valid. If they are, it starts a session containing the username and password. Then, on each subsequent page, the session is checked for the username and password and validated against the db again. If the session is not found or not valid against the db, they go back to the login page.

Ok, fine. Apart from my logout doesn't work. I can't destroy the session. When I call session_destroy(); I get the error "Session object destruction failed", any ideas why?

So, my questions are:

How can I destroy the session?
Is the overall idea of how I'm doing this the best?

I've read the articles on this site, I'm just trying to get more ideas and anothers opinion. This is for an intranet with no more than 30 users, so performance isn't a big issue.

I know this is a bit long winded, any help would be gratefully recieved.

Cheers,

Jord

Anon

Hope you aren't really storing the password in a cookie (sessions work with cookies). This would be very, very insecure. never store valuable information in cookies. read the column about the auth system, on this site.

Anon

Hi,
I thought that sessions store the id of the session in a cookie and the rest of the data in a file on the webserver?

Jord

Anon

Why should you destroy session? Try to call unset() function to unset the value of your variables or call to session_unregister() to unregister your variables from the session. I never tried to do this but i think it will work.
regards,
Anatoly

Anon

Is the overall idea of how I'm doing this the best?

It's fine with one major exception: the password. You should NOT be sending the password back and forth, storing it in a cookie, etc. Instead, create a random hash that represents the session, store that in the user database, and use that for your session id.

Anon

You're the one that said you were sending the userid and password. If you're actually using PHP4 or PHPLIB sessions, then you already pretty good from a security standpoint.

Anon

Thanks for all your help. Kirk, could you explain (possibly with some code) what you mean . I'm not sure how to go about it.

Cheers,

Jord

Anon

Can you clarify if you're actually using PHP4 or PHPLIB sessions, or do you mean that you're rolling your own session support? If the former, you shouldn't need to do anything extra, it's already being done for you.

If you are doing it yourself (and there perhaps are some arguments for not using built-in sessions, I guess) here's how you might create a unique id:

  mt_srand( (double)microtime()*1000000 );

  $session_id = md5( uniqid( mt_rand() ) );

The first statement just sets the random-number generator to an unpredictable starting point (don't use the plain rand() generator; the MT version is much better.)

The second statement is taken directly from the manual page for uniqid(), except I've substituted mt_rand() for rand().

Anon

Thanks Kirk, your a big help on this.
I'm using PHP4 sessions. I'm going to try and explain more clearly. Basically, here is what i'm doing:

User goes to page.
Login box appears
Enter username and password
If username and password are found
Start a session containing two variables. One with the username in, and one with the password in. This is so that on the next page the user does not have to re-enter their username and password.

That's basically it. So, to logout the user I thought you would just call session_destroy() but it throws an error ("session object destruction failed").

If I simply reset the user variables to "" then it won't let me log in again!

Can sessions be cracked? I thought that the session data is kept in a file on the server /tmp directory. Should I use md5() when keeping the username and paswords in the session so that they are safer?

Thanks very much for your help :-)

Cheers,

Jord

Anon

I don't think you need to store the userid and password at all. The session itself is enough validation (for most purposes) that the previous login succeeded.

Anon

Thanks very much Kirk. I think I understand what you mean now. I'll get on first thing in the morning!

Thanks again, Cheers,

Jord

Anon

Jord / Kirk,

Im not sure i totally understand here. Jord, are you checking a 'username' & 'password' from a table in a database? If not what exactly are you doing your checking against?

The other comment and question is that I recently developed a JSP (Java Server Pages / Servlets) solution of doing the same thing. I created a DB with a user table which holds user info (username, password and other data). I also created an 'admin' user. In the user table, i created a field named 'accesslevel' and the admin would have an 'accesslevel' of 0 and a regualar user would have an 'accesslevel' of 1.

What this does for me is, everytime a user requests a page, JSP code (or php) verifies if there is a SESSION created and if so, checks the 'accesslevel' of the user making the request for that page. (When the user logs in, a SESSION is created and places a variable named 'accesslevel' in the SESSION.)

When I move this authentication method to PHP I will use MD5 hash the password for extra security.

It seems to work great and I really dont have any problems. However, I have always wondered if this is the RightWay(tm) of doing things.

Comments?

-Buzzlightyear
To Infinity and Beyond

Anon

Buzz,
I think I'm doing more or less the same as you!

Check username and pass against mysql db table, then, if found, start session that says that the user is logged in. Each time the user goes to subsequent pages the session is located and found that the user is logged in, if the session is not found, I throw the login box again and ask for the username and pass again. I use md5() for my password aswell (database and form variables).

I'm also going to add acccess level type system like yourself for different users of my intranet.

Hope that helps, if it wasn't for Kirk, I'd still be lost! ;-)

Cheers,

Jord