Search the Community

CMS/Forum Session/cookie management and security, picking a good example. I am starting an opensource GPL forum project primarily for the sake of learning. I have been looking at the different implementations for user authentication and session management of different CMS and forum packages.Trying to go through and learn what is being done. Also wondering which makes for the best example of a good clean way to implement it.I would prefer to store the bare minimum cookies client side and keep most data in session variables server side.Unless there is a good reason to have another cookie or two, like if it somehow added additional security. SMF & Drupal makes use of the standard session_start(), and both also use database for session management.(more scalable) phpBB3 also uses the databse for session management, but does not use the standard "session_start()"it uses custom implementation using session_begin() , session_create() , session_kill() , session_gc() I like that Drupal only had the one session cookie, however it takes me much longer to follow the functions and understand what is happening with drupal code.In drupal a lot of things are generated like forms etc, using a single function, this is very clean as it reuses a lot of code, however I would rather learn from something easier to follow.I can always make the code more efficient afterwards. mybb seemed to set more cookies than the rest, and did not make use of the standard session_start(), I am unsure if it uses the db for session management. Right now I think I have it narrowed down to either SMF or PHPBB3, I am kinda leaning toward PHPBB because of a post I found: I read this post: https://www.phpbb.co...49840#p12949840 "Stealing a session id/key is not enough to get logged in. The IP must match to the extent defined in the ACP.Also, the browser user-agent must match (enabled by default). Additionally, you can have it check the x_forwarded_for value." I would think the extra checks like user-agent, IP, x_forwarded_for would help mitigate xss and sesion fixation.phpbb3 key function quotes:"Multiple keys may exist for each user representing different browsers or locations."I am curious if they limited the number of sessions per user, so that a malicious user cant intentionally create Tons of session keys on purpose. SMF may have the same checks, I am unsure. (I do not see IP or x_forwarded_for checks in the 'cookies and Sessions' admin section of smf, but they could be hardcoded.) Any insight or opinions on the subject are appreciated, or if you know of another opensource CMS or Forum that I should take a look at as a good example. at the moment I am leaning towards further studying the phpbb3 implementation and tryint to implement something similar.