[capty99]

Hey, so yeah, I'm just trying to think this through and need your help.

I want a user authentication system just like your everyday sites , dreamincode, whatever.

You log in, you can come back to the computer some other time and your still logged in etc...

So, my question is, how do I do that securely.

I mean yes, I could just embed a user id in a cookie and check that cookie everytime, but then they could just modify the cookie to a different id and be logged in someone else's name.

So.... I'm just wondering how that is done normally.

[skyhawk133]

I think your best bet is to store 2 or 3 different things in a cookie, as well as using sessions.

1) userid
2) password hash
3) login hash (datetime+ip/datetime+userid/etc.)

If you want them to be able to stay logged on on multiple computers (like you can here at DIC) you would just use 1 and 2, if you want to force a new login from each computer, I would create a new login hash every time they login and cookie that. If they try to access the site without the latest login hash, they'll have to login again (which will essentially log them out from every other computer).

[capty99]

so I would have a function, somewhere, that on every page checked the userid compared to the password hash?

[skyhawk133]

When they login, you would generate a hash of their password, store that in a cookie, along with their userid, and possibly some other hash. Then yes, on each page you would check all of those things to make sure the person is still who they say they are.

[baavgai]

capty99, on 1 Dec, 2008 - 12:17 PM, said:

so I would have a function, somewhere, that on every page checked the userid compared to the password hash?

Not quite, regardless of what skyhawk says.

All sites use some mechanism for state ( since http is stateless .) Usually cookies, but sometimes url rewrites. The mechanism doesn't matter, as long as a session can be established. Most site languages (e.g. php) do this for you automatically. For instance, my current session on DIC is 144056e5ff9b382bb0cab96faaaaf796 ( see how much I trust you guys. ) Note how absurdly long it is? That's so it can't be guessed and chances are won't be used again after the session times out.

The point is this. Look at the user's current session. If they don't have a flag that says they've been logged in or challenged, ask about their cookie. If they have a valid authentication cookie, mark them as logged in. Otherwise, mark them as flagged but not authenticated.

The next page looks for the session flag. If it's true, then they've already been through the challenge process and you don't have to look at anything else. Once they choose to log in, cookies fly, session is updated, and you're done.

It actually makes more sense in code. There must be a snipped somewhere...

[capty99]

Thanks I'm gonna take a shot at it later tonight.

Yeah I was just having trouble thinking it through.

(and yeah, I've done authentication with things before, but I've never gotten down and dirty with it and its for a class so I'm gonna learn it the right way ... it will only help down the road anyways. )

[kyrotomia]

Hi.

If you would like to see a "code" version of what has been said, you could look at this code example :
http://www.evolt.org/node/60384


I think this is a nice example of creating a somewhat secured login system. You should have a look at it.