Categories

JavaScriptPHPHTMLCssPythonWordPressWeb developmentLinuxMySQLAndroidWindowsJavaC++ / C#LayoutReactUbuntuYiiDjangoProgramming1C-BitrixLaravelSystem administrationTelegramJSONDebianPostgreSQLIOSGoogleHtaccessWindows ServerGitMacOSGoogle ChromeCMSWooСommerceBootstrapNginxSQLUnityAPI
Make a leaderReport
A
A
Alexander2016-07-12 23:02:55
PHP
Alexander, 2016-07-12 23:02:55

What ways can be passed in order to finalize the authorization system?

The algorithm of my script is as follows:
When registering an account, two storages are created (records in the table), the first record in the accounts table, the user data itself is written here, the email password in sha512 + salt and a randomly generated salt through the sha512 hash from rand ().
In the second table, sessions, a record is created in which ip (last used) and token are written, the token is generated absolutely randomly and changes during authorization. A copy of the token is written to the session.
IMPORTANT POINT FOR DEVELOPMENT:
Authorization is checked as follows: a selection is made from sessions by ip and the token is checked from the cookies and the table, if it is equal, then the user id is taken and the selection is already made from accoins where id=id
The problem is the following, I find it critical: If two authorizations pass, then later I think you understand, it authorizes one. How can I modify / redo the method of linking a session to a user's machine, because the problem is revealed in wi-fi networks and proxies themselves ...
I consider linking to user-agent, flash irrational, correct me if I'm wrong.

Reply
Answer the question

Answer the question

In order to leave comments, you need to log in

2 answer(s)
Report
A
Alexander Aksentiev, 2016-07-12
@Sanasol

do not reinvent the wheel, how do you like this way?
I got confused while reading this, use standard php functions, no "generated, hashed with a piece of another hash, etc."
those. if I got the dynamic IP of another user, will I get under his account? A username and password are not needed at all or what?
First, decide whether you need a token at all? The token is generated in order for the authorization to live for any amount of time. For normal authorization, this is not necessary at all.
If you want eternal authorization:
Generate a token by IP+useragent.
There are no other options and there is no need.
What is the problem with two authorizations? There will be two tokens for one user, and authorization will remain active in two places.

Report
G
Grigory Esin, 2016-07-12
@xotey83

Please don't use rand to generate salt, guid, session id,... - not secure.

Similar questions
G
GRO242019-08-30 15:23:29
Why doesn't Bootstrap 4 align blocks? 2Reply
M
Matvey Bubenets2017-04-20 04:38:37
How to disable Remote Desktop Licensing? 6Reply
D
Dagtor2015-05-15 14:02:52
What book, website or video course can you offer a beginner to learn SQL? 11Reply
A
Alex2019-10-09 12:42:39
How to create qr code in js? 1Reply
K
Ksander882021-04-16 11:31:56
How to make a print order button before placing an order? 0Reply

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question