SitePoint Sponsor

User Tag List

Results 1 to 19 of 19
  1. #1
    SitePoint Addict
    Join Date
    Feb 2004
    Posts
    291
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)

    Authenticate users without session or cookie

    Hello.

    Is it possible to build a authentication method for user login, without the use of session or cookie variables?

  2. #2
    SitePoint Wizard bronze trophy
    Join Date
    Jul 2006
    Location
    Augusta, Georgia, United States
    Posts
    4,048
    Mentioned
    16 Post(s)
    Tagged
    3 Thread(s)
    yep, have them login every page request.
    The only code I hate more than my own is everyone else's.

  3. #3
    SitePoint Addict beebs93's Avatar
    Join Date
    Jul 2010
    Location
    Vancouver, Canada
    Posts
    207
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    You theoretically could build one by using PHP's built-in Filesystem extension, but you really don't want to be storing sensitive information this way.

    I suppose if you placed the plain text file outside the webroot, hashed the password and turned off error reporting (to avoid potential errors to show the location of the file) it could be ok.

    If it was for a rinky-dinky site without any added potential risk for a client then maybe, but I think I'd choose a login system based on cookies/sessions in 99% of cases.

    Any particular reason you're looking for an alternate method?
    "To be truly dedicated to something
    you must be willing to betray it.
    " -SW

  4. #4
    Non-Member
    Join Date
    Apr 2011
    Location
    no fixed address
    Posts
    851
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    afaik using sessions would be the easiest way to check user bona fides. Why don't you want to use sessions?

  5. #5
    SitePoint Wizard bronze trophy
    Join Date
    Jul 2006
    Location
    Augusta, Georgia, United States
    Posts
    4,048
    Mentioned
    16 Post(s)
    Tagged
    3 Thread(s)
    The hash would still need to exist on the client – in a cookie. That is unless you used some other method such as ip but that would be very insecure.
    The only code I hate more than my own is everyone else's.

  6. #6
    SitePoint Addict beebs93's Avatar
    Join Date
    Jul 2010
    Location
    Vancouver, Canada
    Posts
    207
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Off Topic:

    @oddz - Out of curiosity, if you made usernames unique, could you not generate a password hash based on that? Not that it's any more secure (in fact it's probably less so), but would that technically bypass the need for a cookie?
    "To be truly dedicated to something
    you must be willing to betray it.
    " -SW

  7. #7
    secure webapps for all Aleksejs's Avatar
    Join Date
    Apr 2008
    Location
    Riga, Latvia
    Posts
    755
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I might be wrong, but if I remember correctly, then so called "http basic authentication", which on Apache httpd is enforced by .htaccess and .htpasswd files, does not rely on cookies. Instead it instructs browser to send HTTP authentication header. See for yourself. Good advanced usage examples can be found here: AskApache - Crazy Advanced Web Development

  8. #8
    Keeper of the SFL StarLion's Avatar
    Join Date
    Feb 2006
    Location
    Atlanta, GA, USA
    Posts
    3,747
    Mentioned
    64 Post(s)
    Tagged
    0 Thread(s)
    'asks the browser to send information with requests' ....it walks like a cookie, and quacks like a cookie...

  9. #9
    secure webapps for all Aleksejs's Avatar
    Join Date
    Apr 2008
    Location
    Riga, Latvia
    Posts
    755
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    But... Is not a cookie Instead it is a HTTP header (yes I know that cookie is as well transfered in header) other than one used for cookies.

    Now, I do not know why materix wants to avoid cookies. Maybe because of recent legislation changes, maybe just out of curiosity...

  10. #10
    SitePoint Addict
    Join Date
    Feb 2004
    Posts
    291
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by webdev1958 View Post
    Why don't you want to use sessions?
    This is foremost a theoretical question. Sessions also create a cookie on the client. There seems to be a tendency towards, especially within the Europe Union legislation, to limit the usage of cookies, e.g. Businesses urged to prepare for EU cookie laws | IT PRO.

    So therefore I was wondering, which options there are to avoid using cookies in your apps.

  11. #11
    . shoooo... silver trophy logic_earth's Avatar
    Join Date
    Oct 2005
    Location
    CA
    Posts
    9,013
    Mentioned
    8 Post(s)
    Tagged
    0 Thread(s)
    Using a session cookie is safe with the new EU laws. It is impossible to have any form of user authentication without them. In either case, they would have to go after every single site that uses PHP sessions if they want to go after this. My mother a few days asked me "what is a cookie?" when her bank's website told her, her browser had no cookies. I can bet it will be the same over there in the EU. This law will do nothing but confuse users. And is the wrong solution to the problem.
    Logic without the fatal effects.
    All code snippets are licensed under WTFPL.


  12. #12
    Twitter: @AnthonySterling silver trophy AnthonySterling's Avatar
    Join Date
    Apr 2008
    Location
    North-East, UK.
    Posts
    6,111
    Mentioned
    3 Post(s)
    Tagged
    0 Thread(s)
    Off Topic:


    Site: Do you allow us to use cookies? User: No.
    Site: Do you allow us to use cookies? User: No.
    Site: Do you allow us to use cookies? User: No.
    Site: Do you allow us to use cookies? User: No.
    ...
    ...
    ad infinitum
    @AnthonySterling: I'm a PHP developer, a consultant for oopnorth.com and the organiser of @phpne, a PHP User Group covering the North-East of England.

  13. #13
    Keeper of the SFL StarLion's Avatar
    Join Date
    Feb 2006
    Location
    Atlanta, GA, USA
    Posts
    3,747
    Mentioned
    64 Post(s)
    Tagged
    0 Thread(s)
    A session identifier cookie hardly falls into the category of personal information gathering; if such were not permitted, the apache authorization headers would be disallowed too.

    Anthony's point is one that was brought up in the original news posting article (which... is somewhere on this forum, i believe... might be a different one); if the user says no you may not store any cookies, the site cannot store the information that the user has said no, and has to ask again. and again. and again.

  14. #14
    . shoooo... silver trophy logic_earth's Avatar
    Join Date
    Oct 2005
    Location
    CA
    Posts
    9,013
    Mentioned
    8 Post(s)
    Tagged
    0 Thread(s)
    The act of logging in is opt-in to accept this session cookie.
    Logic without the fatal effects.
    All code snippets are licensed under WTFPL.


  15. #15
    SitePoint Wizard bronze trophy Immerse's Avatar
    Join Date
    Mar 2006
    Location
    Netherlands
    Posts
    1,661
    Mentioned
    7 Post(s)
    Tagged
    1 Thread(s)
    Not sure about the UK, but here in The Netherlands the new cookie laws being discussed deal primarily with third party cookies. Of course, you should never ask a politician what a third party cookie is

  16. #16
    <?php while(!sleep()){code();} G.Schuster's Avatar
    Join Date
    Mar 2007
    Location
    Germany
    Posts
    428
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by logic_earth View Post
    It is impossible to have any form of user authentication without them [annotation: cookies].
    For sure, it IS possible.
    Haven't heard of GET/POST parameters to pass on the session ID?
    That way there definitely is NO cookie required.

  17. #17
    . shoooo... silver trophy logic_earth's Avatar
    Join Date
    Oct 2005
    Location
    CA
    Posts
    9,013
    Mentioned
    8 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by G.Schuster View Post
    For sure, it IS possible.
    Haven't heard of GET/POST parameters to pass on the session ID?
    That way there definitely is NO cookie required.
    Which is the same exact thing as cookies. You only are changing the semantics. But passing this stuff in the URL is a lot easier to session hijack.
    Logic without the fatal effects.
    All code snippets are licensed under WTFPL.


  18. #18
    <?php while(!sleep()){code();} G.Schuster's Avatar
    Join Date
    Mar 2007
    Location
    Germany
    Posts
    428
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    No, it's not the same.
    I've never seen any browser that allows one to disable specific URL parameters.
    The other point is, that as parameter, the session ID is not stored at the client and resent the next time he visits the page, so there's no "tracking".

    But passing this stuff in the URL is a lot easier to session hijack.
    Oh c'mon, are you serious?
    Security by obscurity has never been a good thing.
    It's equal in which way the session ID get's transmitted - you have to verify the client anyhow, e.g. by fingerprinting so it doesn't mater if it's passed in by Cookie or URL.

    Anyway, I justed wanted to point out that your statement, that cookies are required, is nonsense.

  19. #19
    . shoooo... silver trophy logic_earth's Avatar
    Join Date
    Oct 2005
    Location
    CA
    Posts
    9,013
    Mentioned
    8 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by G.Schuster View Post
    Oh c'mon, are you serious?
    Security by obscurity has never been a good thing.
    Its not obscurity. Go look up session hijacking and the issues with having a session id in the URL.

    * I would reply more, short on time at the moment.
    Logic without the fatal effects.
    All code snippets are licensed under WTFPL.



Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •