Best aproach to store Remember Me data |
I am writing my own auth library (i know there are a lot of readily available free proven ones, but i wanna get some experience and just make another fast and furious aut lib☻)
And i get stuck in one dilemma... with "Remember Me" option. As everybody knows - cookies is not the safe place to keep user's data So i decided - to make a new random key each time user is logged in PHP Code: $random_hash = bin2hex(random_bytes(30)); Store it in cookies (with user_name, and user_id, for what i will explain a little bit latter☻) After this i add a new line into the database with PHP Code: public function insert_user_session($user_name,$user_id,$session_hash) As i can see it - this approach has some advantages (user can be logged on several devices simultaneously) So it seems to work but - i got two theoretical problems. 1) It creates new lines in the databes really fast.... I tried to keep F5 pressed, and i got several hundreds new lines. 2) There is a possibility of hash collision, two users can get identical hashes - and someone can suddenly be logged as different user without any devious hacks☻ Of course i can check existing entries in the database (before inserting) and repeat this all over again until i got a truly unique value. But it seems to me like overkill (we need at least additional query) So i think just compare user_id from cookeis so in case of a collision there will not be such an unusual situation and someone will not become a out of the blue a different person.. So guys can you advise me how to resolve this puzzle? My bee to make a permanent hash that assigned for user for a long time? Btw - i trying it on a local machine and if i am keeping a f5 button for a lengthy period of time (5 sec) i get a following error: Message: mysqli::real_connect(): (HY000/1040): Too many connections Does it says something about? My be my CI configuration is wrong? It seems too easy to ddos my site ☻☻
I'm using Paragon Initiative approach for this: Implementing Secure User Authentication in PHP Applications with Long-Term Persistence (Login with "Remember Me" Cookies)
Only a selector and token are saved, not a userid. That's only available in the database. The automatic login algorithm looks something like: 1. Separate selector from validator. 2. Grab the row in auth_tokens for the given selector. If none is found, abort. 3. Hash the validator provided by the user's cookie with SHA-256. 4. Compare the SHA-256 hash we generated with the hash stored in the database, using hash_equals(). 5. If step 4 passes, associate the current session with the appropriate user ID. Q1. Re-use the selector and only update the token. Or both if you want. You will get the ID if step 4 match. Q2. Not possible, if you are using the right functions.
I was reading the same article☻☻ -
I didn't get the whole algorithm Am i right - that selector - is just an unique ID (and we must use selector to add a little bit secrecy about amount of users) So my table must have such structure (bare minimum) `id` integer(11) not null UNSIGNED AUTO_INCREMENT, `selector` char(12), `hashedValidator` char(64), `userid` integer(11) not null UNSIGNED, `expires` datetime, how to generate selector to exclude potential hash collision? My main question is - do i need to generate a new selector and hashedValidator, each time a user logs in and add a new entry in database. So i mean if the same user logs in using different browsers - in cookies he will get a different cookies (that have different selector and hashedValidator) do i need to make only one entry for user (in firefox and chrome user will get the same values in selector and hashedValidator cookies)
Use cookies, but you only store a token in it to check your users table.
Read this Article on it: Implementing Secure User Authentication in PHP Applications with Long-Term Persistence (Login with "Remember Me" Cookies) What did you Try? What did you Get? What did you Expect?
Joined CodeIgniter Community 2009. ( Skype: insitfx )
Am i right - that selector - is just an unique ID (and we must use selector to add a little bit secrecy about amount of users)
selector are a unique ID that get's randomized so that your software don't suffer for a timing attack. And how many users are logged in. Code: CREATE TABLE `auth` ( how to generate selector to exclude potential hash collision? Use one of the functions inside the article. If they do collide (12 chars) it's not likely that a random 64 chars will collide too. So the users will be kicked out. If you are paranoid, you will need to query the database. My main question is - do i need to generate a new selector and hashedValidator, each time a user logs in and add a new entry in database. Each time a user clicks "Remember me" and open your site after they have closed the browser/sessions have been deleted by CI/server. Sure there are people who never closes their browser, but I keep mine static and the server have always timed out before 14 days (cookie). So i mean if the same user logs in using different browsers - in cookies he will get a different cookies (that have different selector and hashedValidator) Yes, he will get a different selector and token. do i need to make only one entry for user (in firefox and chrome user will get the same values in selector and hashedValidator cookies) Different Maybe you can get a few hints from my code. It's not tailored for CI, but it's using Paragonie examples. https://github.com/jreklund/php4dvd/blob...ss.php#L73 https://github.com/jreklund/php4dvd/blob...nc.php#L19 And here are the official version from them: https://github.com/psecio/gatekeeper/blo...mberMe.php |
Welcome Guest, Not a member yet? Register Sign In |