I have been creating a PHP-based Content management systems to be used on my small robotics team's website. Sure, there's lots of other platforms available, but what is the fun for the reason that?

In most importance, though, we all do receive extra points for having the ability to state that we exceeded create a template for Drupal or Wordpress. This really is a little unrelated, but Let me have the ability to release the Content management systems as FOSS eventually, however it will certainly need to mature and become safer. However I digress.

I have arrived at the purpose in developing this technique where I want a login system. It has triggered more frustration than I was expecting. I'm able to be meticulous if this involves security, which is not a lot of the best. The issue is, I understand how to consider proper care of database security (trust no user input, store passwords like a hash having a random salt, etc), however i don't have the understanding to create a good client-server system. A couple of questions in connection with this: How secure will it be to make use of session variables? Wouldso would one implement session variables properly in connection with this? If the session cookie be regenerated at each pageview? You allow up much security when utilizing snacks to help keep the consumer drenched set for any period of time, but do you know the guidelines for applying this type of system?

A great tutorial about this subject would greatly help, also.

Interesting time.

If you are attempting to really find out more about the issueOranswer, instead of copy/pasting somebody elses code, read this article.

http://jaspan.com/improved_persistent_login_cookie_best_practice

Excellent resource for persistant cookie management, although does not provide you with the code, it offers a superior a great grounding/concept to produce a safer login system.

Obviously probably the most secure PHP login product is one which does not have persistant login functionality, as user qualifications will never be saved anywhere aside from the server.

erm, explaining all of the issues would fill a great sized book - nevermind methods to them.

The Visitors Digest version from the abridged executive review of the idiot's guide is:

  • use SSL
  • make certain the secure and httponly flags are positioned for session snacks (go educate yourself on session hijacking, MITM attacks)
  • regenerate the session id at login (go educate yourself on session fixation) and logout
  • implement an abstraction layer within the authentication and authorization system
  • implement a sperate layer of abstraction over all these two components
  • do implement a per-page authorization check
  • exercise ahead of time if you want to partition your computer data when it comes to visiblity/access

Apply certain already established libraries like http://freakauth.4webby.com/
Why reinvent the wheel !