Categories

JavaScriptPHPHTMLCssPythonWordPressWeb developmentLinuxMySQLAndroidWindowsJavaC++ / C#LayoutReactUbuntuYiiDjangoProgramming1C-BitrixLaravelSystem administrationTelegramJSONDebianPostgreSQLIOSGoogleHtaccessWindows ServerGitMacOSGoogle ChromeCMSWooСommerceBootstrapNginxSQLUnityAPI
Make a leaderReport
R
R
Roman Yakushev2014-12-20 23:59:24
PHP
Roman Yakushev, 2014-12-20 23:59:24

What are some articles about sessions in php that you can trust?

I am new to php. Googled authorization\registration on php.
I found this article on Habré.
Everything is simple and clear, it works and is safe. But I need almost the same article only with the implementation of authorization on sessions.
Yes, there is Google - it did not give anything. And what he gave - everywhere in the comments they write about a ton of holes. I need a secure way.
Yes, there is documentation for php where everything is also clearly described, but there is not a single full-fledged example of implementing authorization and registration on the site. Of course, I could try to write my own form using the reference book - but 1. I'm afraid that I will make even more holes than in any example that I found, and 2. - I understand better by examples. Simple code with comments and nothing more is fine.

Reply
Answer the question

Answer the question

In order to leave comments, you need to log in

2 answer(s)
Report
F
FanatPHP, 2014-12-21
@FanatPHP

Authorization on sessions is no different from authorization on cookies, except that the session itself generates a hash and sets a cookie.
So if you think this code is safe, then just replace setting and checking the cookie with setting and checking the session variable.

Report
L
Lesha Kiselev, 2014-12-21
@Yakud

Here are a couple of interesting articles on this topic:
blgo.ru/blog/2014/07/18/regform
blgo.ru/blog/2014/07/24/regform-112
In general, the algorithm is something like this:
We turn on https, hash the password during registration with salt and a static key. More or less like this:

$staticKey = "Your static key";
$salt = %random string with diggits%; 
$password = sha1($_POST['password'] . $staticKey . $salt);
// save to db $salt and $password

For authorization, we check the password matches:
$staticKey = "Your static key";
$salt = %salt from db%; 
$password = sha1($_POST['password'] . $staticKey . $salt);
return $password == $dbPassword; // Авторизация удалась

Now we can create a session and write authorization data to it. If we use our own session mechanism, then we can provide several options for protection:
1. Re-entering the password if the user logged in from an unusual place (determined by ip / geolocation, for example). Today he is in Russia, tomorrow he is in Australia, it is worth checking the password again. The check does not pass, we throw off the session.
2. The session was in one browser, then the same session in another. Strange behavior, please enter a pass.
3. We can update the session ID in the user's cookies every half hour.
4.etc.

Similar questions
M
Millerish2018-03-09 11:32:17
VK Communities: how to send a message with a photo? 1Reply
G
Ganagin2011-11-21 11:15:28
How to properly organize the web development process? 4Reply
R
rusgayfer2018-03-09 14:41:51
How to display page switches correctly? 2Reply
C
Chokatillo2015-11-01 23:43:53
Trouble displaying Wordpress menu button? 1Reply
R
Roman Yakushev2015-11-02 09:59:18
How to make ksort work with a 2D array? 1Reply

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question