Login authentication

[eluser]veledrom[/eluser]
Hi,

This is what I do to authenticate user if logged in or nor but IS IT ALL though? Do I have to do anything other checks or store anything else in session etc....

Note: I'm using database session.

Thanks


SESSION

Code:

$user_data = array('user_id' => sha1(md5($row->id . $ci_encryption_key)), 'is_logged_in' => true);
    
$this->session->set_userdata('user_data', $user_data);

AUTHENTICATION

Code:

if ($this->session->userdata('user_data'))
{
  $user_data = $this->session->userdata('user_data');
  
  if ($user_data['is_logged_in'] === true)
  {
     echo 'VALID Login'; exit;
  }
}

echo 'INVALID Login';

[eluser]Aken[/eluser]
Nope, that's really about it if you're doing a simple logged in/out.

You can change the way you store userdata if you want - you're saving an array, when you can just set individual items if you want. Just another option - what you're doing is perfectly fine if that's how you want to store/access data.

Code:

$user_data = array('user_id' => sha1(md5($row->id . $ci_encryption_key)), 'is_logged_in' => true);
    
$this->session->set_userdata($user_data);

// Call the logged in setting
$this->session->userdata('logged_in');

[eluser]veledrom[/eluser]
"Nope, that’s really about it if you’re doing a simple logged in/out."

What do you suggest? Not one of those already written mine-field like codes please!!! I would rather understand the logic and write my own code.

[eluser]craig.hoog[/eluser]
This will depend on what else you need to do.
Most of the authentication plugins "bulk" is dealing with account creation, password storage, password resets, etc.

If you are only discussing a login/logout system.. just make sure you're storing the session with encryption so no one can edit their session to User_id = 5 and become that user. That said, I believe the database portion you are using covers that also.

I used to use (and helped fix) QuickAuth 2.0, but even that became a bit bulky for me and what I wanted to do.

[eluser]veledrom[/eluser]
OK this is what I do now:

CONFIG.PHP

Code:

$config['encryption_key'] = 'A,n.?-*NTw2$';

$config['sess_cookie_name'] = 'ci_session';
$config['sess_expiration'] = 7200;
$config['sess_expire_on_close'] = TRUE;
$config['sess_encrypt_cookie'] = FALSE;
$config['sess_use_database'] = TRUE;
$config['sess_table_name'] = 'ci_sessions';
$config['sess_match_ip'] = FALSE;
$config['sess_match_useragent'] = TRUE;
$config['sess_time_to_update'] = 7200;

CONTENT OF MY SESSION:

Code:

$user_data = array(
'login_key' => sha1(md5($this->session->userdata('session_id') . $this->session->userdata('user_agent') . $ci_encryption_key)),
'is_logged_in' => true);

$this->session->set_userdata('user_data', $user_data);

AUTHENTICATION CHECK

Code:

...
...
if ($is_logged_in === true && $login_key == sha1(md5($this->session->userdata('session_id') . $this->session->userdata('user_agent') . $ci_encryption_key)))
{
   echo "Valid";
}

Is it good enough? If not how can I enhance it?

[eluser]craig.hoog[/eluser]
I'm not a security auditor, but it looks good to me.
I've used a similar system multiple times.

[eluser]veledrom[/eluser]
Thanks hoog.

Also waiting comments from other friends......

[eluser]boltsabre[/eluser]
Change your config

Code:

$config['sess_cookie_name'] = 'ci_session';

to something obscure like

Code:

$config['sess_cookie_name'] = 'sd8fd8343k3';

Otherwise a hacker can come along and see the "ci_session" in their cookies and go "wow... so now I know this website is using CodeIgniter, do I know any tricky little hacks just for CI? And as such, I now ALSO know it's going to be a PHP application, what hacks do I know related to PHP?". Not a major thing, but for such an easy fix well worth your efforts - keep those little buggers guessing everything as long as possible! (in the same vein, you should modify your .htaccess/index.php and remove any and all mentions to .php in your urls).

Another trick I use is when someone logs in I store their user_id and email_address (plus some other stuff) in the session. I also "double" store the user_id and email_address in the session, but call it something obscure in the session like "old_promo_code" and "referal_code". I'll also add a random 10 characters to the start and end of both of these "obscure" entries.
Then (I keep my function "is_logged_in" in a helper) when I call the just mentioned function on my restricted pages I'll strip those random characters out and then compare if "user_id" == "old_promo_code" and if "user_email" == "referal_code". It's just a little check, if they've already hacked you're session, you've got bigger fish to fry, but it should catch the non-advanced hackers who try to change the session user_id or email, but miss the "double" up of it.
If it passes the above test, I'll then also get the user email from the DB related to session user_id. If they don't match, login failed. This stops people from tampering with the actual session user_id... they can change it, but unless the also know the matching email address then they're stuck.

I'm not a security expert, but all these above things are pretty low in processing power/db hits, and all just add a few little extra layers of protection and complexity to a potential hacker to try to get around... with soooo many insecure sites out there, unless yours makes an exciting target (ie, storage of credit card details), if you make it hard enough, most hackers will just give up after a little and try to find some easier prey.