When I started seeing spam messages posted to the new column annotation system, I knew
I would have to create some sort of user authentication system that helps weed out the losers.
I'm the type that would rather write an entire library myself than try to learn something like PHPLib
or other similar libraries.
The library needed to handle registration, confirmation emails, account updates (passwords, emails)
among other things. It also needed to be secure while not creating a burden on my overloaded database.
So the new system needed to rely on cookies while not being totally exploitable. It was an interesting
dilemma. I knew I couldn't simply set a user_name cookie when they logged in (the user name cookie is
easy to spoof). I also knew I didn't want to set a simple hash and have to confirm that hash against my
database.
The solution was to set both. A user_name cookie is set, along with a hash. The hash is an md5() hash
of the user_name as well as a super-secret variable that only PHPBuilder knows. Since md5() is a one-way
hash and is, for all intents and purposes, going to secure practically any website, but should not
be taken to be "uncrackable"*. I could safely create a hash of the email, which is
a known variable, plus the secret variable. It's kind of a public-key/private-key kind of system.
The interesting thing about this system is that it could scale up almost infinitely. Since the hard work
of this system is done by md5() on the web server, additional servers can be dropped in incrementally to
handle the load. The same is not true of an auth system that hammers a database - the database itself
eventually becomes the bottleneck.
| Comments: |
| user login php | muzaffer | 05/13/08 04:09 |
| How to upgrade this code! | John MacDowall | 09/23/07 10:48 |
| How to implement this! | John MacDowall | 09/23/07 10:46 |
| single sign-on for users | Ivy | 08/15/07 06:01 |
| Creating a LogIn System & Search Capabilities | Ritesh Jaiswal | 08/11/07 05:12 |
| RE: Security Problems + Solutions | carburetor | 12/20/05 11:17 |
| RE: Error with undefined variables/Index | Ramesh Pagar | 10/11/05 10:41 |
| RE: Add adress, zip code, country and date of bir | ros | 07/12/05 02:03 |
| How do I integrate this into my site? | John Smith | 06/15/05 15:50 |
| RE: security - cookies, sessions md5 | surferdude | 06/07/05 23:03 |
| Passing Data / Submit to DB | Mike | 05/07/05 15:21 |
| RE: Security Problems + Solutions | Derek Hinch | 03/22/05 14:01 |
| How to do final Submit for 3 register pages | xl402 | 03/16/05 18:22 |
| PLEASE I NEED CODE | SAMT | 02/20/05 09:45 |
| How to create my own session in PHP? | Amudhan | 11/30/04 00:41 |
| RE: Secure?? | Derek Hinch | 11/13/04 00:21 |
| RE: Secure?? | merouane | 05/15/04 22:45 |
| Needs reworking for globals off | Philip Shaddock | 05/09/04 11:44 |
| good lesson | mrscript | 12/28/03 21:06 |
| more secure | Urban Soot | 11/07/03 17:55 |
| RE: Security Problems + Solutions | LFTL | 07/06/03 01:51 |
| "Uncrackable" - Correction | Tim Perdue | 04/25/03 21:01 |
| Sourceforge and This Code | johnleemk | 04/17/03 07:56 |
| RE: Security Problems + Solutions | Derek Hinch | 04/15/03 00:00 |
| RE: IIS vulnerability for this kind of login syst | Derek Hinch | 04/14/03 23:46 |
| Self Proclaimed Un Crackable | Derek Hinch | 04/14/03 23:38 |
| RE: Security Problems + Solutions | Derek Hinch | 04/14/03 23:36 |
| RE: Security Problems + Solutions | Masonry | 02/26/03 21:46 |
| IIS vulnerability for this kind of login syst | Dennis Gearon | 02/26/03 13:29 |
| RE: Error with undefined variables... please help | Brent | 02/11/03 22:38 |
| Its not perfect | Ross Clarke | 01/04/03 18:13 |
| RE: Cannot add header information - headers alrea | helping a bit | 12/27/02 07:59 |
| RE: Security Problems + Solutions | LFTL | 12/23/02 01:13 |
| RE: Security Problems + Solutions | Derek Hinch | 12/17/02 22:30 |
| Security Problems + Solutions | Rick Blommers | 10/21/02 03:04 |
| Internet Usage Account | NITIN | 10/11/02 13:17 |
| How to create a user | How to create a user | 10/07/02 14:13 |
| I don't think these works any more | Damian Gibbs | 10/03/02 19:27 |
| Looking for pre.php | JohnV | 09/30/02 20:48 |
| Adding Credit Card to Login? | JohnV | 09/26/02 00:29 |
| problem with if ($submit) | Andreas Frejborn | 09/03/02 15:31 |
| RE: md5 is NOT secure. | Sami | 08/23/02 22:13 |
| Double or triple md5 | SinisterShade [n]ice | 08/11/02 10:08 |
| more secure / timeout | ben77 | 08/01/02 12:12 |
| md5 is NOT secure. | Derek Hinch | 07/15/02 20:38 |
| php script for adduser on linux system | jake | 07/15/02 10:13 |
| help add to pages | dwolf | 07/12/02 22:28 |
| Logging in Problem | Paul Wardzynski | 07/10/02 04:15 |
| security hole | Sebastian Bertho | 07/05/02 10:37 |
| RE: You are logged in as* \ You are not logged in | Michael | 06/30/02 10:56 |
| PHP4 and Global Env Vars | WarezMonkey | 06/21/02 12:39 |
| Access Levels | Rajesh | 06/17/02 08:53 |
| RE: What have I done wrong??? | Carlos | 06/14/02 17:15 |
| Combining this system with .htaccess? | Torbjřrn | 06/11/02 14:53 |
| Please change passwrod in changepass.php | shanda | 06/05/02 07:41 |
| cookie problems? | Florian | 05/31/02 22:28 |
| RE: md5 cracking....might wanna update this tutor | kybosh | 05/23/02 11:22 |
| Include database.php? | Samuel L. Diaz Munoz | 05/07/02 00:32 |
| RE: Cannot add header information - headers alrea | Jan Lund | 05/04/02 13:52 |
| SSL? Are you people crazy? | Derek Hinch | 04/29/02 23:52 |
| md5 cracking....might wanna update this tutor | Derek Hinch | 04/29/02 23:47 |
| Cannot add header information - headers alrea | alex | 04/29/02 12:30 |
| mail problem | ptitprince | 04/25/02 11:35 |
| problem : setcookie | ptitprince | 04/25/02 11:34 |
| RE: What have I done wrong??? | Andreas | 04/18/02 04:30 |
| What have I done wrong??? | Andreas | 04/17/02 13:59 |
| How can I search for different fields | Ava | 04/13/02 19:22 |
| looking for php e-mail server source | muffaddal | 04/09/02 02:49 |
| a recomendation... | Ramon Pineda Vazquez | 04/09/02 01:08 |
| RE: I don't think it is very secure | rdo | 04/07/02 19:18 |
| Creating a users directory | James | 04/05/02 21:42 |
| What do I do next? | Mehul | 04/05/02 14:42 |
| Password change using PHP | Gautam | 04/05/02 01:38 |
| RE: Code Snippet | red | 04/04/02 19:47 |
| Using an Image?!?! I dont know!! | James | 04/03/02 01:50 |
| Code Snippet | heyrad | 03/28/02 11:44 |
| extending cookie session to apache | Lewis Shobbrook | 03/27/02 17:26 |
| Better authentication...md5 not neccessary. | Derek Hinch | 03/26/02 13:08 |
| RE: Login to a different page | Tierra | 03/26/02 09:03 |
| Login to a different page | Carol | 03/24/02 16:02 |
| Multiple user with different rights | Denj | 03/19/02 23:51 |
| Multiple location login | Adrian | 03/14/02 06:59 |
| What about an admin interface? | Arne | 03/08/02 07:24 |
| RE: Putting users into Groups | Marc | 02/27/02 20:39 |
| Putting users into Groups | Ken Weide | 02/26/02 12:20 |
| RE: I don't think it is very secure | Paul Milligan | 02/24/02 11:32 |
| I don't think it is very secure | Daniel | 02/22/02 14:00 |
| Users that is logged in? | Jonny Johansson | 02/20/02 15:54 |
| RE: What Goes Into Each Page? | John Hocking | 02/19/02 23:07 |
| RE: Header Already Sent - setcookie | gmt | 02/17/02 12:06 |
| What Goes Into Each Page? | Randy | 02/07/02 17:11 |
| RE: E-mailing out of PHP | Mads Andersen | 02/05/02 16:19 |
| Get User Information | Riley | 02/02/02 19:52 |
| Help in setting up. | Sharapov | 01/09/02 22:53 |
| How to get user info for multi client login | Anant | 12/11/01 20:14 |
| Authenticating using auto_prepend_file | Mark Hoover | 12/10/01 13:39 |
| questions | mohamad mahdi | 12/09/01 14:14 |
| RE: Header Already Sent - setcookie | Ken A | 12/08/01 13:47 |
| RE: database.php for PostgreSQL | Dustin Dortch | 11/26/01 20:52 |
| RE: Big Problem -- Found | Dave | 11/26/01 09:08 |
| Big Problem | Dave | 11/25/01 19:19 |
| RE: Errors with this user auth system | toby folwick | 11/20/01 22:03 |
| eeg! what about a flat file? | toby folwick | 11/20/01 22:01 |
| New Errors | Dave G. | 11/18/01 17:16 |
| Errors with this user auth system | Dan | 11/18/01 02:02 |
| RE: "log in permanently" option | phpbigot | 11/17/01 12:09 |
| Creating a select option | Sean C | 11/14/01 22:40 |
| RE: lostpass.php | Sean C | 11/14/01 16:51 |
| RE: lostpass.php | wilmoss | 11/13/01 15:16 |
| RE: Protection Pages!! | Ray | 11/13/01 14:44 |
| RE: Protect your pages this way.... UNSECURE! | Eric Hanuise | 11/12/01 16:52 |
| RE: What now??? | bryan | 11/12/01 16:23 |
| RE: lostpass.php | jazz | 11/10/01 02:20 |
| RE: Add adress, zip code, country and date of bir | Sean C | 11/07/01 19:04 |
| lostpass.php | Sean C | 11/06/01 20:35 |
| RE: Add adress, zip code, country and date of bir | Luc | 11/02/01 17:43 |
| RE: Add adress, zip code, country and date of bir | Sean C. | 10/31/01 08:24 |
| Help with PHP | Phil | 10/29/01 12:44 |
| This script rocks.... | Paul D | 10/29/01 04:09 |
| Improve on a good idea... | Benjamin Smith | 10/26/01 13:06 |
| RE: Header Already Sent - setcookie | Preston Stone | 10/13/01 01:20 |
| RE: MySQL | Steven C | 10/11/01 19:30 |
| Header Already Sent - setcookie | koejkje | 10/09/01 20:22 |
| RE: MySQL | Daniel | 10/09/01 19:10 |
| RE: Would this work and be secure? | Daniel | 10/08/01 20:26 |
| RE: "log in permanently" option | Preston Stone | 10/08/01 13:07 |
| MySQL | Steven C | 10/04/01 07:58 |
| RE: Protection Pages!! | Preston Stone | 10/03/01 23:50 |
| RE: Tight security that does not rely on IPs | Baruch Even | 09/28/01 19:19 |
| RE: Dynamic Extension for mor Userdata to input | Luc | 09/26/01 09:31 |
| RE: How do you actually implement this? - New | Ali Driver | 09/26/01 04:42 |
| Dynamic Extension for mor Userdata to input | Frank Zehelein | 09/23/01 16:45 |
| "log in permanently" option | Preston Stone | 09/21/01 09:08 |
| RE: Unix username and password | storm | 09/13/01 07:10 |
| Variable Errors | Jacques Grové | 09/11/01 06:28 |
| How do you actually implement this? - Newbie | Jacques Grové | 09/11/01 05:28 |
| forgot Password | Kang Cypen | 09/11/01 03:44 |
| RE: fast method.. but very unsecure | OOzy | 09/10/01 23:28 |
| Protection Pages!! | Giuseppe | 09/06/01 11:02 |
| error auth.inc | Ronald Joson | 08/22/01 15:46 |
| Would this work and be secure? | rulian | 08/17/01 20:50 |
| excellent | ted | 08/11/01 10:19 |
| utils.php in authentication app missing | Harry Hobson | 08/06/01 11:13 |
| Can't get if is/not logged in to work. | Shadowhunter | 08/04/01 21:26 |
| RE: Unix username and password | Jesse Charbneau | 08/04/01 17:06 |
| Web Authentication article | Baruch Even | 07/17/01 01:29 |
| Tight security that does not rely on IPs | Matt | 07/14/01 18:31 |
| RE: Added security | Matt | 07/14/01 17:23 |
| RE: Protect your pages this way..... | Urs Gehrig | 07/11/01 04:03 |
| Staying Logged In... | marquese | 07/09/01 14:39 |
| RE: Unix username and password | Jacob | 06/27/01 23:00 |
| E-mailing out of PHP | Troy Delagardelle | 06/27/01 18:47 |
| RE: Added security | Rael Daruszka | 06/24/01 21:15 |
| RE: Protect your pages this way..... | Luc | 06/24/01 11:21 |
| RE: session variables | Mark | 06/18/01 08:13 |
| RE: Unix username and password | Mark | 06/18/01 07:51 |
| login/logoff | Kalium | 06/18/01 05:57 |
| Tim's code in a nutshell | Socheat | 06/16/01 11:51 |
| RE: Protect your pages this way..... | Baruch Even | 06/10/01 10:01 |
| readme.txt | Gonzalo Jeldrez | 05/31/01 13:16 |
| Creating a readme.txt | Gonzalo Jeldrez | 05/28/01 13:41 |
| session variables | Andy | 05/28/01 11:53 |
| readme.txt | Gonzalo Jeldrez | 05/23/01 14:33 |
| Unix username and password | Sommai Fongnamthip | 05/20/01 22:47 |
| FrameForwarding, Implementation | Tobias | 05/02/01 15:23 |
| RE: Added security | Maarten Robben | 04/25/01 06:38 |
| Adding Fields | Ben Blackmore | 04/24/01 08:59 |
| Weird Error | Ben Blackmore | 04/24/01 08:48 |
| RE: security beneath PHP | Mark Bruk | 04/21/01 21:14 |
| RE: Added security | Mark Bruk | 04/21/01 21:07 |
| Username | sam | 04/18/01 03:33 |
| RE: Secure? | Jim | 04/17/01 18:10 |
| Added security | Maarten Robben | 04/17/01 10:24 |
| phortify problem Please help asap | tim sharpe | 04/14/01 16:18 |
| Login for displayed over and over. | Scott Peshak | 04/04/01 20:40 |
| security beneath PHP | Mark | 03/30/01 02:13 |
| RE: (In)Security: I am interested | Max | 03/21/01 14:35 |
| RE: Logging off | Reepa | 03/07/01 21:17 |
| How do i.....? | Marcellino Bommezijn | 03/07/01 15:44 |
| Logging off | Gerry | 03/07/01 10:15 |
| Scale image... | Eskil Keskikangas | 03/06/01 11:43 |
| RE: What now??? | Michael Jensen | 03/05/01 14:37 |
| open source | Milton Moraga | 03/01/01 08:46 |
| Error with undefined variables... please help | Andy | 02/28/01 22:21 |
| What now??? | Brian Grayless | 02/28/01 12:44 |
| how to use? | jaxon | 02/24/01 13:08 |
| RE: mail delivery | Simon Pritchard | 02/21/01 19:19 |
| RE: (In)Security | Andreas Heintze | 02/19/01 14:23 |
| RE: database.php for PostgreSQL | Dustin Dortch | 02/19/01 13:45 |
| database.php for PostgreSQL | Dustin Dortch | 02/16/01 07:01 |
| RE: multiple users with same email | Dustin Dortch | 02/03/01 11:23 |
| Variables can be passed by argument | Julien | 01/24/01 04:14 |
| Me again - Password, and then some. | Shawn | 01/19/01 03:15 |
| RE: You are logged in as* \ You are not logged in | Jason | 01/18/01 21:43 |
| RE: You are logged in as* \ You are not logged in | Shawn | 01/18/01 14:02 |
| RE: You are logged in as* \ You are not logged in | Steve | 01/18/01 12:53 |
| You are logged in as* \ You are not logged in | Shawn (MobileBadBoy) | 01/17/01 23:21 |
| multiple users with same email | Steve | 01/16/01 07:40 |
| Setup and Requirements | Eric Crist | 01/14/01 23:45 |
| Is there an oracle version? | Jimmy | 01/10/01 19:15 |
| Making it more secure ? | cyril | 01/10/01 02:55 |
| RE: utils.php? | Henning | 01/07/01 18:43 |
| Why "text" as column type? | Henning | 01/07/01 17:12 |
| RE: utils.php? | Henning | 01/05/01 22:45 |
| RE: another version of this system - easy setup | Henning | 01/05/01 22:44 |
| RE: (In)Security: I am interested | Baruch Even | 01/02/01 08:30 |
| RE: (In)Security: I am interested | Peter Armstrong | 01/01/01 13:24 |
| RE: (In)Security | Adam Woodbeck | 01/01/01 12:54 |
| (In)Security | Baruch Even | 12/29/00 09:29 |
| RE: Secure?? | Baruch Even | 12/29/00 09:17 |
| mail delivery | Tom | 12/28/00 11:01 |
| RE: make pages look for cookie | Joost Wilbrink | 12/09/00 11:50 |
| RE: Secure?? | Leo West | 12/06/00 08:57 |
| RE: Another Error please help | Mandy | 11/24/00 02:20 |
| RE: fast method.. but very unsecure | John | 10/27/00 19:26 |
| cookie answer | gmt | 10/26/00 23:59 |
| cookies | gmt | 10/26/00 20:59 |
| cookies | gmt | 10/26/00 20:58 |
| cookies | gmt | 10/26/00 20:24 |
| user logout | gmt | 10/26/00 19:38 |
| RE: Check for Login - Answered Myself | beginner | 10/23/00 04:43 |
| How To Grab User Information From Database ? | Yves Modert | 10/12/00 13:14 |
| how to restrict users from a particular dir | gmt | 10/11/00 21:51 |
| RE: Protect your pages this way..... | nicola | 10/09/00 04:06 |
| RE: fast method.. but very unsecure | Michael Park | 10/01/00 12:42 |
| RE: fast method.. but very unsecure | Amit Chakradeo | 09/28/00 21:05 |
| unable to login | Jason Archibald | 09/23/00 18:13 |
| E-mail of the user | Yves Modert | 09/16/00 08:12 |
| fast method.. but very unsecure | Michael Park | 09/07/00 10:29 |
| thank you! | thomas cos | 09/01/00 14:21 |
| Protect your pages this way..... | Jeff Radcliffe | 08/31/00 12:05 |
| Add adress, zip code, country and date of bir | Yves Modert | 08/31/00 03:01 |
| RE: Secure?? | Bernd Eßmann | 08/29/00 06:56 |
| RE: return_to function - Answer | Dave Van Camp | 08/24/00 03:04 |
| RE: return_to function - More answer. | Patrick | 08/24/00 02:46 |
| RE: return_to function - Answer | Patrick | 08/24/00 02:42 |
| return_to function | Dave Van Camp | 08/24/00 02:20 |
| RE: Correction- Answered Myself | Patrick | 08/23/00 01:42 |
| Check for Login - Answered Myself | Patrick | 08/23/00 01:40 |
| Check for Login | Patrick | 08/18/00 21:41 |
| Check for Login | Patrick | 08/18/00 21:31 |
| phortify to be born | philip olson | 08/17/00 15:00 |
| RE: Another Error please help | Amit Chakradeo | 08/14/00 23:36 |
| RE: Another Error please help | david | 08/14/00 15:49 |
| RE: Another Error please help | Amit Chakradeo | 08/13/00 23:05 |
| Does anyone monitor this board? | Rhyan | 08/13/00 15:53 |
| Another Error please help | Rhyan | 08/12/00 18:26 |
| Help Please, Error | Rhyan | 08/12/00 18:18 |
| bug in script? | Toni Suokas | 08/12/00 15:42 |
| User Tracking | Rhyan | 08/10/00 19:40 |
| User Tracking | Rhyan | 08/10/00 19:28 |
| Secure?? | Fabio Venuti | 08/08/00 17:30 |
| Found pre.php in "Pretty Source File" | David Cann | 08/08/00 16:16 |
| missing info in pre.php? | David Cann | 08/06/00 23:37 |
| session | jeroen | 08/05/00 05:19 |
| RE: utils.php? found it. | Tim Perdue, PHPBuilder.com | 07/29/00 23:35 |
| RE: utils.php? found it. | Max Hammond | 07/27/00 09:32 |
| RE: utils.php? found it. | philip olson | 07/26/00 21:10 |
| RE: make pages look for cookie | Aaron Nikula | 07/21/00 13:28 |
| RE: philip olson (utils.php?) doh! | philip olson | 07/15/00 14:12 |
| philip olson | philip olson | 07/15/00 14:06 |
| utils.php? | Alex Darke | 07/14/00 22:01 |
| Secure? | tom | 07/14/00 06:24 |
| php for linux | Perry | 07/12/00 10:29 |
| make pages look for cookie | chad nantais | 07/10/00 02:49 |
| another version of this system - easy setup | philip olson | 07/03/00 19:54 |
| genereal comment about site! | Daan | 07/03/00 16:50 |
| Logging the username in Apache Log AUTH field | John S Huggins | 07/03/00 16:00 |
|
If you are looking for help, please post on the appropriate forum here. Your questions will be answered much more quickly.
|
