SitePoint Sponsor

User Tag List

Results 1 to 10 of 10

Threaded View

  1. #1
    SitePoint Guru okrogius's Avatar
    Join Date
    Mar 2002
    Location
    US
    Posts
    622
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Authentication concept

    Here's an idea I've been thinking about as far as implementing a very speedy uahentication. My main issue is that a user base will likely be on a different database (or server altogether) from the one with this application - so doing a constant "SELECT x FROM user WHERE userID=y;" on every page load is not really an option.

    Now to the idea...
    • Whenever a user is browsing as a guest - there is no cookies, no sessions. Nada [img]images/smilies/smile.gif[/img].
    • Whenever a user is logged in - there is one cookie always set (no cookie - not logged in).
    Cookie will be assembled like this:
    userID.username.passwordHash.expiration.cookieFingerprint

    An example one could be:
    "1.Admin.5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8.12345.0bfc3e5677f7f7e7337cd32ab8782fcba9f1c8bb

    In case you're curios above the above hashes:
    sha1('password') == 5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8
    sha1('1Admin5baa61e4c9b93f3f0682250b6cf8331b7ee68fd812345salt') == 0bfc3e5677f7f7e7337cd32ab8782fcba9f1c8bb
    12345 is just an example of an expiration value - it will be a unix timestamp formatted date within two weeks after the login (the time the cookie will stop authenticating someone)

    On each page load, if the cookie is present and validates (fingerprint - I assume I can trust data if the fingerprint matches since the "salt" is secret). If a cookie is not found, or fingerprint doesn't validate I don't authenticate the user.

    This works nicely effeciency wise as there is no session tracking at all, and no constant queries to get user information.

    Now... the disadvantages:
    -user is banned
    The system in now ay can tell if someone is banned at any point OTHER then login, when they get the cookie in the first place; but this isn't a biggie for me since I'm not planning to ban users from my webSITE.
    -password changed
    If a user logs in, doesn't log out, then changes the password on another computer, the first computer will still authenticate the user from the old cookie. Is it really a significant issue? I'm not sure. Part of the cookie is "expiration" value (unix timestamp), so even if a cookie like that is set - it will expire eventually (I'm planning to allow logins to be remember for only up to two weeks). Another measure I can do is ONLY verify the password on the first page load in a visit.

    I'm not really placing anything particularly sensitive on the website, so this systems seems adequate to me.

    If anyone can give impressions or critiques of this concept, I would greatly appreciate it. [img]images/smilies/smile.gif[/img] Perhaps, I'm missing some other disadvantages to this?
    Last edited by Codename49; May 8, 2003 at 17:28.


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •