Proper website authentication

Started by SEOTechniques, Aug 21, 2022, 11:03 AM

Previous topic - Next topic

SEOTechniquesTopic starter

The question arose - how to properly implement authentication on the website?

The problem is more in remembering the user for a long time. The session is not durable, it remains to store something on the client. However, anything stored on the client side can be stolen... The only thing that can be used (and cannot be stolen) is the user's IP... However, now most people have it dynamic, which will create problems for the real user including.

The question is how can all this be implemented correctly?

I know that this is a bicycle, that you can see ready-made solutions, etc. But serious solutions like Yii are quite difficult for me to parse, but I want to understand.

I ran through the DLE 11 code. The version is a little old, maybe they have something new in the new versions .. However, in this version, the user check is reduced to the condition:

$member_id['password'] == md5( $_COOKIE['dle_password'] )
that is, the hash from the database is compared with the user's hash.. It's amusing, isn't it?


You can get rid of the permanent existence of the key. When explicitly exiting, write an empty string to the DB and cookies. And do the regeneration and saving in the database at the entrance, when the key selected from the database is empty.

Using an authorization key is practically standard. If you have some serious account, use the additional login protection mechanisms, frequently changing complex key, etc. For serious personal accounts, no one uses a "long-lived" key. Authentication every time the browser is launched, a limited lifetime of the key even within one session (if the user is passive), key regeneration on the fly, etc.

By the way, in my topic, although a lazy option is described, it is quite working. When you do a forced logout, you only regenerate the key in the DB, it doesn't exist on any client. The complexity of the key can always be made comparable to the complexity of the login/password pair. Getting rid of a constant key only makes sense if you use something else besides a login/password pair when logging in.