2 Replies - 458 Views - Last Post: 20 September 2012 - 01:10 PM

#1 adn258  Icon User is offline

  • D.I.C Addict

Reputation: 11
  • View blog
  • Posts: 761
  • Joined: 31-August 11

How Should I Implement Session Expiration's Securely?

Posted 19 September 2012 - 03:30 PM

So I've coded my site to expire session after 7200 seconds i.e. 2 hours. It's just a site where comments will be placed on things (I don't want to go into details) but I was thinking of the problems I might have here and potential help from you amazing people here :). THIS GETS CONFUSING BELOW!!

Let's say you get a spam nasty malicious user that is constantly posting bogus comments (note: I want people to be able to post unlimited comments so they can talk back and forth argue etc. lol) but you get some jerk that's spamming things and all I have to do the way I designed my site is log into mysql and add a 0 to the activated section. Now they can't log in anymore and post BUUUUUUTT THE PROBLEM with this is if they are still in session they UNTIL THEY CLOSE THEIR BROWSER WHICH COULD BE HOURS OR DAYS etc. they can CONTINUE TO POST SPAM until that session expires to which they can never log in again.

So my 7200 second idea is a safety for once they are blocked the system will log them out automatically to which they can't log in anymore. THE PROBLEM with his idea is users posting a long comment COULD GET LOGGED OUT WHEN THEY CLICK POST AND LOSE THEIR WORK OF TYPING THE COMMENT!!.

You might say like a 30 second warning is the best alternative where the user has 30 seconds to click continue or the session times out. I'm ok with this idea only again the malicious user that has just been blocked so they can't log in anymore CAN KEEP CLICKING CONTINUE TOO AND SPAMMING AWAY.

Solutions or ideas anyone has on this please let me know? I was thinking about changing my bInSession function to checking to see if the account in Activated in the users in a MYSQL database but this connecting like that over and over again seems costly..."sigh"

Is This A Good Question/Topic? 0
  • +

Replies To: How Should I Implement Session Expiration's Securely?

#2 Atli  Icon User is offline

  • D.I.C Lover
  • member icon

Reputation: 3716
  • View blog
  • Posts: 5,976
  • Joined: 08-June 10

Re: How Should I Implement Session Expiration's Securely?

Posted 19 September 2012 - 05:20 PM

How about just checking the database to see if the user has been blocked whenever that user tries to post something? You should already have an open database connection for that, so adding an additional query on that request should be trivial as far as performance is concerned.

In fact, verifying the user login against the database on each request should be no problem at all for any half-decent server, except under fairly heavy loads. And if the site is of a scale where that would actually be an issue, you should definitely be prioritizing security over minor performance gains.

P.S.
If you want to implement a secure user login system, you may want to start by reading this tutorial:
User Authentication Class

This post has been edited by Atli: 19 September 2012 - 05:25 PM

Was This Post Helpful? 1
  • +
  • -

#3 adn258  Icon User is offline

  • D.I.C Addict

Reputation: 11
  • View blog
  • Posts: 761
  • Joined: 31-August 11

Re: How Should I Implement Session Expiration's Securely?

Posted 20 September 2012 - 01:10 PM

View PostAtli, on 19 September 2012 - 05:20 PM, said:

How about just checking the database to see if the user has been blocked whenever that user tries to post something? You should already have an open database connection for that, so adding an additional query on that request should be trivial as far as performance is concerned.

In fact, verifying the user login against the database on each request should be no problem at all for any half-decent server, except under fairly heavy loads. And if the site is of a scale where that would actually be an issue, you should definitely be prioritizing security over minor performance gains.

P.S.
If you want to implement a secure user login system, you may want to start by reading this tutorial:
User Authentication Class


I believe that I have a decently secure login; I most certainly will will then just check to see if they are activated first and if they aren't it won't allow them to post. I'm someone who's kind of obsessed with performance of things like that to the point that it's not for my own good because as you said it's minute microseconds to check that probably
Was This Post Helpful? 0
  • +
  • -

Page 1 of 1