Check if user logged in on every page?

[toxicious]

I have started a little with writing a very simple log-in system to be used by the admins on my site. Currently I have a form, when the user submits it (ajax) it checks against a db (hashed passwords of course #sonyfail) and if it matches, it creates a cookie contaning the hash of the password and a cookie containing the username. But when the user enters a page which needs you to be logged in, what should I do there? Should I do a check against the db everytime and check if the credentials in the cookie match? That seems like an expensive operation every time the user like refreshes a page or visits a new one o.OBut I can't see any other solution that is secure?

[Ingolme]

Use PHP sessions. Sensitive data will only be on the server and not stored on the client's device. When the clients log in, set a boolean "logged in" session variable to true and check it on every page to see if the user is logged in.

[toxicious]

Use PHP sessions. Sensitive data will only be on the server and not stored on the client's device. When the clients log in, set a boolean "logged in" session variable to true and check it on every page to see if the user is logged in.

Well that was simple, like a cookie stored on the webserver.But what if I want the user to be logged in for 24 hours or something? I have checked some big sites and all of them seems to use cookies when it comes to that. Edit: question: do I need to have that session start tag at every page since I don't know where the user will land? Edited June 3, 2012 by toxicious

[Ingolme]

You have to start the session on all pages. Having a session open doesn't imply that the user is logged in, it just means that you can share variables across several pages. If you want a "remember me" feature then you're going to need cookies. The best thing for a "remember me" feature is to hash data that's exclusive to the user, such as username and ID. Only do this after the user has logged in and don't leave any data about the user unhashed. If you don't want people to fake the cookie data you will need to use information that only the user can know, therefore the user's password will need to be somewhere among the hashed data in the cookie. When you receive the cookie, extract the data and compare it to the database, then you can start a session. There's no need to look at the cookie unless there is no session active already, the cookie is only for if the user has been away for longer than the session lasted. Be sure to tell the user not to use the "remember me" feature on shared computers: people can copy the cookie and use it on their own computer. While I'm at it: In the case that their account does get access from another person, you should require the person to input the old password if they want to change it to a new one. This way the original user can always get back to their account even if somebody else managed to log in. There's so much to say about security... Anyways, for a beginners project you can leave out the "remember me" function because it needs more thinking than a simple login system.

[toxicious]

Great post! So basically, if I were to write a login system with a remember me feature, every page would start something along the lines of this:

<?phpif(!isset($_SESSION)){//Check if the user has a cookieif ($_COOKIE['login'] != ""){  //Extract and check to db  //If match, set session[login] = true}}?>

Edit: damn code feature...removing the indentation

Edited June 3, 2012 by toxicious

[Ingolme]

Something like that. If both the session and the cookie data don't contain any indication of a user being logged in, then the user is not logged in. Don't forget to delete the "remember me" cookie when the user logs out, otherwise they never will be able to log out until the cookie expires. (Actually, for the same reason you also have to delete the session data as well)

[toxicious]

Something like that. If both the session and the cookie data don't contain any indication of a user being logged in, then the user is not logged in. Don't forget to delete the "remember me" cookie when the user logs out, otherwise they never will be able to log out until the cookie expires. (Actually, for the same reason you also have to delete the session data as well)

Thanks for the tip and guidance

[Don E]

Foxy, Can you give us an example on how to hash the cookie or the route you'd take in doing that? Thanks.

[Ingolme]

Well, there are many ways. Here's some code I had on one of my projects. It might be a bit complicated to understand. Saving the cookie:

    public function saveMember($username, $hashedPassword) {	    // $hashedPassword is already hashed, it is the value that's stored in the database	    $cookieName = md5($_SERVER['SERVER_NAME']); // Giving a name that is certain to not change	    $len = str_pad(strlen($username), 3, '$', STR_PAD_RIGHT);	    $cookieValue = base64_encode($len . $username . $hashedPassword);	    setcookie($cookieName, $cookieValue, time() + 86400 * 30, '/', $_SERVER['SERVER_NAME']);    }

Getting the cookie data:

    public function rememberMember() {	    $cookieName = md5($_SERVER['SERVER_NAME']);	    if(!empty($_COOKIE[$cookieName])) {		    $cookieValue = base64_decode($_COOKIE[$cookieName]);		    $len = (int) $cookieValue;		    $username = substr($cookieValue, 3, $len);		    $hashedPassword = substr($cookieValue, $len+3);		    return array($username, $hashedPassword);	    }	    return false;    }

After getting the cookie data, just compare the username and the password to the values that are stored in the database table

[birbal]

do you really need the remember me system? it still needs a db trip to get authenticated everytime. so if it is usual login vs remember me, it is same from the prespective of db access. one thing it has advantage that user don't need to type their password. but most of modern browser has option to save password. and security of it are being managed by browser vendor.browser password also decrease any chance of any exploiting with cookies and overall user identity

Edited June 5, 2012 by birbal

[toxicious]

I think I'll go with the BrowserID system. No strain on my db and easier for the user