Securing a login system

[eluser]Medikal[/eluser]
Hey guys, just gonna run down my current thought of a login system for you and wondering if you could give me some feedback as to possible holes in it's security. Note I am not using an SSL Certificate.

User logs in using username and password, if they are correct it sets a cookie value to
the format of 'userid-randommd5'. The random md5 is a completely random code generated only if their credentials are correct, and inputs it in a field in their database row. The other is obviously their unique user ID.

So every single time a page loads it checks if the user ID, the user they are or impersonating to be, and checks it against the random value, if it matches the script continues, otherwise it kills the cookie and all user-only content is blocked.

I understand this checking every time a page is loaded provides a huge and maybe unnecessary amount of overhead, however if anyone can provide a secure alternative, it would be much appreciated.

Thanks, Dan.

[eluser]tonanbarbarian[/eluser]
since you are probably going to grab the users details based on the userid in the cookie, there is no real overhead in looking up the userid and hash for each page request.

the issue you are going to have however is if users share account.
i know you probably ideally do not want them to be able to do this, but particularly if the site is administered by people how are not all that familiar with running a website, I have found over the years that some people will just sahre their admin account details with another user to help them admin the site, rather than creating separate accounts.

so the issue will be that is one user logs into the account, the system will create a unique hash and store it in the user details, then if someone else on another computer logs in with the same account details it will reset the hash and the first person will be logged out.
you can then get into a round robin match of people be logged out, logging back in and thereby logging the other user out and then being logged out again as the other user logs back in.

And if the users do not really understand WHY they should not share account you will have the users complaining they continually get logged out and it may appear to the users that the site is broken

You might think that if you block login to the account if the hash is set you can slop people logging in when someone else is using the account, but then you have the problem of making sure that the hash is unset each time the user logs out, and how you manage the unset of the hash if the user does not log out correctly at all.

apart from this I can see no major issues with what you are doing. it is a fairly simple but effective system of securing a site

[eluser]Aleazus[/eluser]
I would suggest adding a salt to your md5 encryption.

This would help with securing passwords.

In regards to checking whether a user is logged in already. Simply use a is_logged_in() function when a user goes through your login.

[eluser]flash_back[/eluser]
you have freakauth lite all ready, just little modifications and he will be cool, just using db_session instead new code (same s... in 1.6.2), I need to check up 1.7.2 now