• (2 Pages)
  • +
  • 1
  • 2

User Authentication Class Rate Topic: ***** 4 Votes

#16 cxn  Icon User is offline

  • New D.I.C Head

Reputation: 0
  • View blog
  • Posts: 33
  • Joined: 10-March 12

Posted 20 April 2012 - 02:45 AM

Hello, thank you for this great article - it's exactly what I was looking for!

I'm going to be working my head around getting the database stuff in there. I'm fairly new to PDO as well so I hope I'm going to do it right. Before this I want to make sure the rest is working.
I was wondering if the following piece of code needs editing:

<?php

class Auth {
	private $_siteKey;

	public function __construct()
  	{
		$this->siteKey = 'my site key will go here';
	}




With what do I replace 'my site key will go here' ? Should I use the randomString function? I'm new to OOP so this might be a very very stupid question heh.

Thanks in advance
Was This Post Helpful? 0
  • +
  • -

#17 sampras  Icon User is offline

  • New D.I.C Head

Reputation: 0
  • View blog
  • Posts: 2
  • Joined: 19-February 12

Posted 28 April 2012 - 12:31 PM

Hi thanks for the greate article, is there a reason why you have avoided using cookies?
Was This Post Helpful? 0
  • +
  • -

#18 E_Geek  Icon User is offline

  • D.I.C Head
  • member icon

Reputation: 45
  • View blog
  • Posts: 236
  • Joined: 20-February 11

Posted 23 May 2012 - 11:35 AM

Hey, sorry for the very late reply, I've had a very hectic three month period.

Cxn, if you are still having trouble, you would change that string with a (preferably) random 'site key' that will not change after you're website is live.

Sampras - I guess I find sessions easier to work with for one. The main reason is that cookies are stored on the clients machine, and can be manipulated by a user incredibly easily. Sessions on the other hand are a server stored mechanism, offering you greater control to what the user can manipulate.
Was This Post Helpful? 0
  • +
  • -

#19 sampras  Icon User is offline

  • New D.I.C Head

Reputation: 0
  • View blog
  • Posts: 2
  • Joined: 19-February 12

Posted 05 June 2012 - 02:37 AM

Well, the problem with session is that it destroys when users close their browser.
In case of sites like Facebook, I have noticed even if you close your browser,
you still can go back to your account without logining in.

This shows Facebook is using cookies.
I would like to learn how to securely implement cookie into my login system?
My own guess is to:

1) create random string when user logs in and store in table.
2)add the user agent to the random string.
3) hash the coupled string and store in a cookie.
4) store the user_id and hashed string seperately in login table.

Then:
5) every time the user goes to a new page, compare the browser
Cookie Hash string within the database table if there was a match.
6) get the random string from table and add it to clients http agent
And chech to see if it is the same as the string in the cookie.
7) if everything was a match then allow user into the new page.
Was This Post Helpful? 0
  • +
  • -

#20 Seanny  Icon User is offline

  • New D.I.C Head

Reputation: 0
  • View blog
  • Posts: 2
  • Joined: 10-August 12

Posted 15 August 2012 - 10:36 AM

Thanks for the great tutorial, it really helped me understand session security.

I want to use authentication for my page 'graph.php', but I'm having a weird bug.
When the user first authenticates everything is great, but if the user wants to refresh the page, the user is forced to log in again.

I've narrowed it down to the fact that everytime you refresh the page, the session is restarted, which makes a new session-ID which causes a mismatch when I use the method checkSession. Is there any way to stop this from happening? It would be really annoying if the user would have to log in every time they refresh. I guess I could update the session id every time the user refreshes, but wouldn't that compromise session security?

Here is my code to my graph.php page. Don't worry it's very short.

<html>
<body>
<?PHP
require_once 'auth.php';

session_start();

$auth = new Auth();

if(!isset($_SESSION['user_id'])){
        //header( 'Location: index.html' );
        echo '<p>user_id is not set <p>';
} else {
        //Check we have the right user
        $logged_in = $auth->checkSession();

        if(empty($logged_in)){
                //Bad session, ask to login
                //$auth->logout(); //I commented this out while debugging, but I don't think it would change anything.
                echo '<p>BAD SESSION<p>';
                //header( 'Location: index.html' );

        } else {
                //User is logged in, show the page
                echo '<p>SWEET<p>';
        }
}
?>
</body>
</html>




So to clarify, every time I hit F5 after being logged in successfully, I get the 'BAD SESSION' message, which means the user would have to log in again.

Thank you for your time,
Seanny
Was This Post Helpful? 0
  • +
  • -

#21 Atli  Icon User is offline

  • D.I.C Lover
  • member icon

Reputation: 3719
  • View blog
  • Posts: 5,990
  • Joined: 08-June 10

Posted 15 August 2012 - 11:22 AM

Your PHP file can not add any content to the output before you call the session_start() function, or it won't work. It needs access to the HTTP headers, which will become unavailable as soon as the first character of the HTTP body (the HTML) is written. - Which means you can't echo anything from PHP, or add any HTML (or anything else) before opening the PHP block.

The code you posted would be printing warnings about this if you had error reporting enabled. This should be turned on on development servers so things like this don't go unnoticed.
Was This Post Helpful? 1
  • +
  • -

#22 Seanny  Icon User is offline

  • New D.I.C Head

Reputation: 0
  • View blog
  • Posts: 2
  • Joined: 10-August 12

Posted 15 August 2012 - 11:46 AM

Oddly enough, just restarting my server fixed my problem. I'm going to chalk that up as the "What?" moment of the day.

Regardless, thank you for the help Atli. As you may have noticed I'm quite new to PHP. I have enabled that error reporting and changed my code as you suggested.
Was This Post Helpful? 0
  • +
  • -

#23 smackwilly  Icon User is offline

  • New D.I.C Head

Reputation: 0
  • View blog
  • Posts: 1
  • Joined: 06-September 12

Posted 06 September 2012 - 07:15 AM

Hey E_Geek, great post, this was really helpful. Have you ever seen instances where your checkSession method is failing unexpectedly? For some reason my comparison of the session ID from the DB vs the actual session information is failing however when viewing in a debugger the two strings appear exactly the same. I've tried different comparison operators (==. ===, !==) all of which do not pass the test. I've also tried casting both to string just to ensure php isn't doing a strange type conversion on me. Any suggestions or clues you might have?

Thanks!
Was This Post Helpful? 0
  • +
  • -

#24 imperium2335  Icon User is offline

  • New D.I.C Head

Reputation: 0
  • View blog
  • Posts: 1
  • Joined: 15-September 12

Posted 15 September 2012 - 03:32 AM

Hi,

Great tutorial and very useful so thanks a lot!

I have one question/idea.

Could you combine PBKDF2 with this log in system to make it even more secure?

If so would you use it on the password and salt or just the password?

You can see it here: https://defuse.ca/php-pbkdf2.htm
Was This Post Helpful? 0
  • +
  • -

#25 dallbee  Icon User is offline

  • New D.I.C Head

Reputation: 4
  • View blog
  • Posts: 15
  • Joined: 17-October 11

Posted 15 September 2012 - 11:05 AM

PBKDF2 has been shown to be more vulnerable to GPU brute force attacks than just a standard bcrypt or scrypt. You're better off using PHP's built in crypt() function, or if you're ambitious, https://github.com/DomBlack/php-scrypt . Scrypt is likely the strongest available hashing solution currently, though its been less thoroughly tested than bcrypt.
Was This Post Helpful? 1
  • +
  • -

#26 beatou  Icon User is offline

  • New D.I.C Head

Reputation: 0
  • View blog
  • Posts: 1
  • Joined: 27-April 13

Posted 27 April 2013 - 02:27 PM

View PostE_Geek, on 14 September 2011 - 01:51 PM, said:

<?php

class Auth {
	private $_siteKey;

	public function __construct()
  	{
		$this->siteKey = 'my site key will go here';
	}



Shouldn't it be like this:

$this->_siteKey = 'my site key will go here';


I mean missing underscore in siteKey
??

In public function login you use
$selection['verified'];
and it should be
$selection['is_verified'];



Is this ok? Where should be the missing brace bracket?

View PostE_Geek, on 14 September 2011 - 01:51 PM, said:

<?php
require_once 'Classes/Auth.php';

session_start();

$auth = new Auth();

if (!isset($_SESSION['user_id'])) {
	//Not logged in, send to login page.
	header( 'Location: index.html' );
} else {
	//Check we have the right user
	$logged_in = $auth->checkSession();
	
	if(empty($logged_in)){
		//Bad session, ask to login
		$auth->logout();
		header( 'Location: index.html' );
		
	} else {
		//User is logged in, show the page
	}




Thanks for that class! I used it with PDO in my new project using OOP for the first time in commercial website.
Was This Post Helpful? 0
  • +
  • -

  • (2 Pages)
  • +
  • 1
  • 2