Answer the question
In order to leave comments, you need to log in
What ways can be passed in order to finalize the authorization system?
The algorithm of my script is as follows:
When registering an account, two storages are created (records in the table), the first record in the accounts table, the user data itself is written here, the email password in sha512 + salt and a randomly generated salt through the sha512 hash from rand ().
In the second table, sessions, a record is created in which ip (last used) and token are written, the token is generated absolutely randomly and changes during authorization. A copy of the token is written to the session.
IMPORTANT POINT FOR DEVELOPMENT:
Authorization is checked as follows: a selection is made from sessions by ip and the token is checked from the cookies and the table, if it is equal, then the user id is taken and the selection is already made from accoins where id=id
The problem is the following, I find it critical: If two authorizations pass, then later I think you understand, it authorizes one. How can I modify / redo the method of linking a session to a user's machine, because the problem is revealed in wi-fi networks and proxies themselves ...
I consider linking to user-agent, flash irrational, correct me if I'm wrong.
Answer the question
In order to leave comments, you need to log in
do not reinvent the wheel, how do you like this way?
I got confused while reading this, use standard php functions, no "generated, hashed with a piece of another hash, etc."
those. if I got the dynamic IP of another user, will I get under his account? A username and password are not needed at all or what?
First, decide whether you need a token at all? The token is generated in order for the authorization to live for any amount of time. For normal authorization, this is not necessary at all.
If you want eternal authorization:
Generate a token by IP+useragent.
There are no other options and there is no need.
What is the problem with two authorizations? There will be two tokens for one user, and authorization will remain active in two places.
Please don't use rand to generate salt, guid, session id,... - not secure.
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question