Go Back   Computer Forums > Web Design | Website Development > Web Programming
Join Computer forums Today

Thread Tools Search this Thread Display Modes
Old 04-17-2014, 10:06 AM   #1
Fully Optimized
ssc456's Avatar
Join Date: Jan 2007
Posts: 4,273
Send a message via MSN to ssc456
Default Authentication and Login

Hey guys,

So I've done my fair share of websites over the years but I've never really touched upon logins and stuff.

How are they done?

.net Web Apps come with a default project that has a whole login manager and stuff which i'm sure will do the job but that is just using it i'd like to understand what's going on.

So let's say I create a login page and a username and password field and a submit and on submit it encrypts the password and queries the database using a stored procedure and comes back as successful. Excellent, I can then redirect the user to a "UsersPage".

The problem I have is if I now want to browse from UsersPage to UsersPage2 how do I check the user is still logged in?

Yes I know I can create a cookie, but that seems like a terrible idea.
If I create a cookie with a key of "Isloggedin" and a value of "True" then anyone could fake it and access the UsersPage.

If I create a cookie with a key of "SessionID" and store a GUID generated from SQL when the user is logged in as the value this a lot more secure but in the grand scheme of things still quite insecure.

It strikes is if you were able to steal someone's cookies folder and pop them on your machine you shouldn't be able to log in, even if I set the cookie timeout to a couple of hours this is still a potential exploit however it may be unlikely.

So I could take it a step further and put a SessionID combined with the Users IP address in a cookie but it strikes me as i'm still heading in the wrong direction?

How is it meant to be done?

I could authenticate the user, and store a SessionID on the servers memory which is a lot more secure and each time I flick from page to page I could check the SessionID?

What is considered the "proper" way to do it?

He who has never failed has never attempted anything worth succeeding at.

Dont Eat Animals, Its Not Good For Them And They Dont Like It!
ssc456 is offline   Reply With Quote
Old 04-23-2014, 04:51 AM   #2
Site Team
root's Avatar
Join Date: Mar 2004
Posts: 7,872
Default Re: Authentication and Login

if I was you...

forget about storing the IP address, if their IP address changes they will end up having to login again.

use a cookie, store the user name, and store and hash of the password.

then you can check the authenticity of the user, effectively logging them on each time. nobody could fake that cookie unless the stole the hash, or knew the password to create a hash.

(if you're not comfortable storing the hash that's in the database for user login then you might store a hash of the hash, or a specific hash that's salted differently to how you usually store the passwords.)

so I log in with username + password

in my cookie I get userID + hash of password

each time the page refreshes you check the DB to ensure that the userID and password hash match properly.
I didn’t fight my way to the top of the food chain to be a vegetarian…
Im sick of people saying 'dont waste paper'. If trees wanted to live, they'd all carry guns.
"The inherent vice of capitalism is the unequal sharing of blessings; The inherent vice of socialism is the equal sharing of miseries."
root is offline   Reply With Quote

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off

All times are GMT -5. The time now is 12:19 PM.

Powered by vBulletin® Version 3.8.8 Beta 4
Copyright ©2000 - 2016, vBulletin Solutions, Inc.
Search Engine Friendly URLs by vBSEO 3.6.0