SitePoint Sponsor

User Tag List

Results 1 to 14 of 14

Thread: Log in tips

  1. #1
    SitePoint Enthusiast Bhjorth's Avatar
    Join Date
    Mar 2011
    Posts
    31
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Log in tips

    Hello all ,
    I am typing a little login script in PHP and I am looking for ideas, when a user passes the username/password I want to save the session in a db with information about the user with info like what is his IP and what browser was he on when he logged in. So I can compare it with the information when he jumps around on the page.
    I will also save this information to check later use of cookies, but for now I am looking for tips on what info I can save?
    For now I have IP and browser saved is there anything else I could use to authenticate that it is the same person ?

    I hope you understand what I meen, thanks in advance.

  2. #2
    Keeper of the SFL StarLion's Avatar
    Join Date
    Feb 2006
    Location
    Atlanta, GA, USA
    Posts
    3,748
    Mentioned
    69 Post(s)
    Tagged
    0 Thread(s)
    Well his browser wont change from page to page, but... anyway, the majority of the information you're interested in is stored in the $_SERVER superglobal array.

  3. #3
    SitePoint Enthusiast Bhjorth's Avatar
    Join Date
    Mar 2011
    Posts
    31
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by StarLion View Post
    Well his browser wont change from page to page, but... anyway, the majority of the information you're interested in is stored in the $_SERVER superglobal array.
    Ok after reading around abit I decided that I will only save the users IP adress when he loggs in and start his logged in session. But here is the thing, I can't use the entire IP as many have dynamic IP's as many know, so I will only save the first 5 digits in the IP as the first numbers usally dont change even if it is dynamic.

    So here comes a question about what takes more power. As this will be in a table with maybe many 1000 logged in users at the same I want it to be fast, so is two senerios.

    1: I take the ip lets say 52.522.52.52 runs a preg replace to remove the dots(.).
    PHP Code:
    $ip preg_replace("/[^0-9]/","",$ip); 
    I do this so I can save the value as a INT instead of a VARCHAR, as I read this is faster when it comes to DB's.

    When I now have my value 525225252 I will only take the 5 first digits. As I said the last one's can change alot and give the user a bad browsing experience, with being logged out in the middle of sessions.
    So I do a substr()
    PHP Code:
     substr('525225252'05); 
    So I end up with the value of 52522, the value of 52522 will then be save in the db with a timer() userid etc.

    The the pre_replace and substr will be done on every page view to check so the ip is still the same as it was when the user was logged in.

    OR

    2: Just save the IP 52.522 as VARCHAR in the DB and just check for the second dot instead and save it as to the DB and compare each page view.


    I really hope you understand what I am talking about here hehe, if you have better ideas please share.

  4. #4
    Keeper of the SFL StarLion's Avatar
    Join Date
    Feb 2006
    Location
    Atlanta, GA, USA
    Posts
    3,748
    Mentioned
    69 Post(s)
    Tagged
    0 Thread(s)
    Counterpoint:
    User IP: 12.123.221.12
    Strip the dots: 1212322112

    What was the user's original IP? 12.123.221.12? 121.23.22.112? Both these IP's would return the same result.
    You could pad-then-store, exploding over . then str_pad'ing each value to ensure it's 3 digits long (since all IP4 address segments are limited to the range 0-255), and store that.
    Or you could convert each value to it's 8 bit equivilant, slam them all together, and come up with a true int (which would have the benefit of not having to check for leading 0)...

    I'm not sure WHY you want to do this, though. Are you trying to persist a login beyond session? Use a cookie.
    Never grow up. The instant you do, you lose all ability to imagine great things, for fear of reality crashing in.

  5. #5
    SitePoint Enthusiast Bhjorth's Avatar
    Join Date
    Mar 2011
    Posts
    31
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by StarLion View Post
    Counterpoint:
    User IP: 12.123.221.12
    Strip the dots: 1212322112

    What was the user's original IP? 12.123.221.12? 121.23.22.112? Both these IP's would return the same result.
    You could pad-then-store, exploding over . then str_pad'ing each value to ensure it's 3 digits long (since all IP4 address segments are limited to the range 0-255), and store that.
    Or you could convert each value to it's 8 bit equivilant, slam them all together, and come up with a true int (which would have the benefit of not having to check for leading 0)...

    I'm not sure WHY you want to do this, though. Are you trying to persist a login beyond session? Use a cookie.

    First of let me point out that I maybe know HOW to program, But I lack the experience in WICH way I should program so I am just learning the ropes

    So I am on a shared host, and I read about session hijacking on shared host and Saving the IP seems to be a valid way on how to make sure that the user that created the session is the same person using it.

    And to protect against cookies being used by diffrent people, being stolen etc, saving the first digits of the ip would make sure that the person using the session or the cookies is the same person that made them, you understand? if not please say and I will try and explain better.
    thanks for any help.

  6. #6
    Keeper of the SFL StarLion's Avatar
    Join Date
    Feb 2006
    Location
    Atlanta, GA, USA
    Posts
    3,748
    Mentioned
    69 Post(s)
    Tagged
    0 Thread(s)
    Saving the IP is only worse.

    IP range: 1-254 for each block.
    You're looking at the Level B IP. (First two segments).
    So you've just said that 64,516 different IP's all belong to this one user.

    What if Joe Blow's neighbor goes to your site? He's got the same Level-B IP address as Joe. Your site then says... Neighbor = Joe. 'Session' successfully hijacked without even trying.

    Stick to session-and-cookie based management. It's far less likely that Joe Blow's neighbor stole his computer and duplicated his cookie.
    Never grow up. The instant you do, you lose all ability to imagine great things, for fear of reality crashing in.

  7. #7
    SitePoint Enthusiast Bhjorth's Avatar
    Join Date
    Mar 2011
    Posts
    31
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by StarLion View Post
    So you've just said that 64,516 different IP's all belong to this one user.
    .
    But I will ofc use the regular session checks as one allways do , thought I explained it sorry If I missed it some how. I dident mean that the IP would be the only check, it would only be a second check for the session.

    So what I just said was that I would narrow it down to 64,516 diffrent IP's to even be able to hijack it, instead of the entire world.

  8. #8
    I solve practical problems. bronze trophy
    Michael Morris's Avatar
    Join Date
    Jan 2008
    Location
    Knoxville TN
    Posts
    2,015
    Mentioned
    62 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by Bhjorth View Post
    First of let me point out that I maybe know HOW to program,
    Then you should already understand one of the most basic rules of programming - if it isn't broken don't fix it. PHP session handling is fine as is, has about 10 years of hard testing behind it and is going to be far more secure than anything you'll come up with.

    Code php:

    That's it. You do not need to store sessions in the database nor should you without a specific reason. If you wish to track visitor information you can, but that's a separate issue from sessions.

  9. #9
    SitePoint Enthusiast Bhjorth's Avatar
    Join Date
    Mar 2011
    Posts
    31
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by Michael Morris View Post
    Then you should already understand one of the most basic rules of programming - if it isn't broken don't fix it. PHP session handling is fine as is, has about 10 years of hard testing behind it and is going to be far more secure than anything you'll come up with.
    I read on the internet that saving the IP with the sessions is making the sessions safer, for example here.

    Just something google told me
    maintain the client ip in the session when user logs in, for every request after logging in, check if the requests are coming from same ip

    Set a short session timeout, so that if left idle for a while the session times out automatically.
    and I read somewere else that saving the ip in a table other then lets in a session var is better

    Should I assume that the last is wrong then? should I just save the IP in the session ?

  10. #10
    SitePoint Member
    Join Date
    Aug 2011
    Posts
    2
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by Bhjorth View Post

    I do this so I can save the value as a INT instead of a VARCHAR, as I read this is faster when it comes to DB's.
    You can use ip2long() to convert IPs. And then mask of the last 2 octets before you store it in the DB.

    PHP Code:

    $ip_l 
    $ip2long$ip ) & 0xFFFF0000
    Then the IP won't be ambiguous, as StarLion pointed out. long2ip() will convert it back to a string.

  11. #11
    I solve practical problems. bronze trophy
    Michael Morris's Avatar
    Join Date
    Jan 2008
    Location
    Knoxville TN
    Posts
    2,015
    Mentioned
    62 Post(s)
    Tagged
    0 Thread(s)
    Remember, there's a lot of old crap on google, and even more wrong crap. The only reason to save session information into the database is if you are using multiple webservers against a load balancer. Even then, session handling via the database for the most part is only found as a legacy feature in applications that had to run under PHP 4.2

    4.2

    We are on 5.3!

    Storing the IP and using it for additional validation does little to further harden your site, but it will create problems with any user using a proxy. With the IPv4 address space pretty much exhausted this is going to become more and more common. Speaking of which, anything you write to deal with IPv4 addresses will fail rather spectacularly when IPv6 becomes the more common protocol in the next decade.

    Also keep in mind security runs both ways. There are ISP's that protect their users by deliberately rotate their client's IP address on EVERY request they make in order to thwart tracking software and disrupt certain worms and viruses. For a user with such an ISP your site won't work.

  12. #12
    SitePoint Enthusiast Bhjorth's Avatar
    Join Date
    Mar 2011
    Posts
    31
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by Michael Morris View Post
    Remember, there's a lot of old crap on google, and even more wrong crap. The only reason to save session information into the database is if you are using multiple webservers against a load balancer. Even then, session handling via the database for the most part is only found as a legacy feature in applications that had to run under PHP 4.2

    4.2

    We are on 5.3!

    Storing the IP and using it for additional validation does little to further harden your site, but it will create problems with any user using a proxy. With the IPv4 address space pretty much exhausted this is going to become more and more common. Speaking of which, anything you write to deal with IPv4 addresses will fail rather spectacularly when IPv6 becomes the more common protocol in the next decade.

    Also keep in mind security runs both ways. There are ISP's that protect their users by deliberately rotate their client's IP address on EVERY request they make in order to thwart tracking software and disrupt certain worms and viruses. For a user with such an ISP your site won't work.
    I have to agree on the IP I read up on it and it seems to change to much.

    But I cant agree that you say that sessions are safe as they are and I should do nothing to make it more secure.

    And cant say your sarcasm helps alot? should I guess you are trolling?

  13. #13
    Keeper of the SFL StarLion's Avatar
    Join Date
    Feb 2006
    Location
    Atlanta, GA, USA
    Posts
    3,748
    Mentioned
    69 Post(s)
    Tagged
    0 Thread(s)
    I dont see any sarcasm in that post at all?
    Never grow up. The instant you do, you lose all ability to imagine great things, for fear of reality crashing in.

  14. #14
    I solve practical problems. bronze trophy
    Michael Morris's Avatar
    Join Date
    Jan 2008
    Location
    Knoxville TN
    Posts
    2,015
    Mentioned
    62 Post(s)
    Tagged
    0 Thread(s)
    I really don't know what you are seeking if you think I'm trolling or are reading sarcasm into that post. I do know with that attitude you've secured a place on my ignore list - I don't have time for crap attitudes from people appealing for help.


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •