Secure login?

[eluser]Aquillyne[/eluser]
How could I make an area of my CI site inaccessible unless someone had logged in - and make that login system secure?

The best way I can think of doing this is to set a session variable or two stating that a person is logged in, and check that on all the sensitive pages. And I suppose that session variable is only set if the right info is delivered from a login form.

But is this safe, is this secure, and what is the best practise in this area? I want to sleep knowing no one can hack this!

Thanks.

[eluser]awpti[/eluser]
Only as safe and secure as your user's passwords and your logic.

This is a very ambiguous request. There isn't really any "best practice". It's really down to your needs/requirements.

[eluser]Aquillyne[/eluser]
Take Google's login to GMail. I bet it isn't particularly simple.

I think there is more meat to my question of how to make a secure login than you suggest.

And then im obviously interested in what would be the best CI way of hashing out that logic.

For instance, it seems prudent to lock someone out after they've tried logging in too many times. Just how might I achieve this in a good way? A bad way might for instance be to store a cookie on their computer. They could then just clear their cookies and start again with their login attempts.

[eluser]nfx-nano[/eluser]
Yes Aquillyne, that is how one would go about when checking for whether a user is logged in or not. Then all you have to do is unset the session data upon logout. Just don't use cookies, they are dangerous. You might want to also check out the "Ignited Code" section of this forum. There are already some nicely functioning and secure authentication libraries available. Just remember that authentication systems can never be 100% secure.

[eluser]awpti[/eluser]
One of the simpler libraries is Erkanaauth.

Leaves it up to you to handle registration and such. FreakAuth is probably the most developed as far as features go.

[eluser]Aquillyne[/eluser]
I've tried writing my own library, but I'm struggling over a few things.

I want something VERY simple - the user enters the right, hard-coded password, he gets through to the page. That's it. I don't want to connect to any database. There's no username. It's just a page with a hard-coded password.

How can I lock the user out (stop him from even trying to log in) if he gives the wrong password more than, say, 5 times? The only way I can see of doing this is via a session variable, but that's not particularly secure because he could just clear his cookies and try some more. Any ideas?

[eluser]Colin Williams[/eluser]
The right way to do what you're saying is to completely lock the account and send an email to the user, making them login at a special URL. But, your system won't have a user, so you're kinda stuck with using a cookie, session, matching against IP, etc. There's no silver bullet.

[eluser]awpti[/eluser]
You'll have to store that somewhere.

Flat file, database.

There's no magic for preventing someone from trying more than 5 times if you use session/cookies. Restart the browser/clear cache/cookies = 5 more tries.

If you store it in a flat file, you'll have to have a cronjob running on the machine to clean up after X amount of time. Or you could just perma-ban the IP and manually handle it/create an admin interface. either way you'll need a "database" of some sort. Flat file, in this case if you don't want to handle SQL.

[eluser]Aquillyne[/eluser]
[quote author="awpti" date="1216698077"]either way you'll need a "database" of some sort. Flat file, in this case if you don't want to handle SQL.[/quote]

I assume that for something as small as this, a flat file would be better, in terms of running efficiency. Connecting to a database and inserting data will take up more time and memory, am I right?

[eluser]awpti[/eluser]
The difference will be negligible at best. And you can get around any negatives with query caching.

Flatfile's are made difficult just because you have to write code to parse said flat file - though not difficult in this case.

Simple format of:

user:pass
user2:pass

read it in using file(), explode the array on : and remove \n from the end of $array[1] will get you the username and password for comparing. You just have to stick said flat file outside of your webroot or create apache rules to block access to the file if you can't stick it outside the webroot.