Sorry your browser is not supported!

You are using an outdated browser that does not support modern web technologies, in order to use this site please update to a new browser.

Browsers supported include Chrome, FireFox, Safari, Opera, Internet Explorer 10+ or Microsoft Edge.

Geek Culture / website authentication

Author
Message
bitJericho
22
Years of Service
User Offline
Joined: 9th Oct 2002
Location: United States
Posted: 12th Jun 2010 01:23
Link
Hey all,

I'm working on a php site completely written from scratch.

I'm in the final stage of writing a complete login system. Anyways, I'm looking for a method to secure sessions/cookies. The primary method is by IP address, also some methods call for the User Agent.

Using either of these methods on their own means if you login anywhere else, you have to log in again from the original ip/browser.

I was wondering if anyone has better methods of securing sessions/cookies (against people trying to steal them)

Another method I came up with is storing logins by IP and/or useragent, but making a table, so a user could have 2 or 3 or any number of logins simultaneously active, and the script would simply compare data to each of the listed sessions in the db to authenticate. If any matches are found, then the user is authenticated, otherwise they are not.

What are your thoughts? Do you guys generally login to sites from multiple places but not necessarily at the same time?

I've noticed recently TGC implemented a change that if I login at work now, I get logged out at home or vice verse. What's up with that?

Back to top
Profile PM Email Website
Insanity Complex
19
Years of Service
User Offline
Joined: 16th Sep 2005
Location: Home
Posted: 12th Jun 2010 01:50
Link
Your authentication by IP which would result in having to re-login at the original IP, I assume only means that if you login and have it "remember you", then login from elsewhere, it would no longer remember you at that original computer. Honestly, I've seen this in most places I go. Not sure of the complete workings under the hood, but as far as having to re-login from the original computer after logging in elsewhere, I don't consider that a hindrance. I actually prefer it that way, because if suddenly I'm not auto-logged in somewhere I usually am, but didn't login elsewhere myself, it's a heads up that someone else may have logged into my account.

Back to top
Profile PM Email
GIDustin
16
Years of Service
User Offline
Joined: 30th May 2008
Location:
Posted: 12th Jun 2010 08:06
Link
I hate it when websites log you out from locations other than your current. I visit the same websites at home, work, and on my cell phone and being always logged in on all 3 devices saves a lot of unnecessary typing.

Back in my web page days, I would check the PC for a cookie from my site. If it didn't exist, I would create one with a 32 digit random hash. I would then add that same ID to a SQL table. I then use that hash ID to identify that computer. Using IP addresses works for awhile, but not in settings such as schools where every PC has the same external IP and User Agent.

Then if the user logs in you can add their username to the SQL under their hash ID as well as a timestamp of the last time they entered their account info. That is how my sites did it. And for secure things, such as changing login information or accessing any somewhat secure parts of the site, make sure that the last time entered their account info was somewhat recent, otherwise ask for it again, just in case.

Back to top
Profile PM Email Website
bitJericho
22
Years of Service
User Offline
Joined: 9th Oct 2002
Location: United States
Posted: 13th Jun 2010 05:00
Link
Quote: "Back in my web page days, I would check the PC for a cookie from my site. If it didn't exist, I would create one with a 32 digit random hash. I would then add that same ID to a SQL table. I then use that hash ID to identify that computer. Using IP addresses works for awhile, but not in settings such as schools where every PC has the same external IP and User Agent."


I wasn't planning on making IP addresses unique. Multiple users could have the same IP. The issue arises when the IP changes frequently for a user, for example, through a proxy. The User agent may change frequently too, for some. So I'm kind of at a loss on how to protect against cookie stealing.

Anyone got any ideas?

Back to top
Profile PM Email Website
GIDustin
16
Years of Service
User Offline
Joined: 30th May 2008
Location:
Posted: 13th Jun 2010 05:24
Link
Not entirely sure what the good uses for proxies are, but they were used negatively on my website so the same person could spam my guestbook using a multitude of IP addresses within a few seconds. Therefore I made my site so that the first visit assigned the hash ID and then refreshed the page. If you didn't have the hash ID when you refreshed (either because cookies are disabled or a bot is being used) or your IP address changed then any interactive part of the site is completely blocked. Multiple offenses automatically lead to a ban. I have over 50,000 IP addresses that are linked to proxy servers already banned.

I can see how proxy servers are a nightmare for tracking systems as the cookie ID could appear stolen when it really isn't. In my experiences though proxy servers are mainly used for anonymous spamming, so I don't have any moral objections to blocking every user that uses them.

If you find a good all-around way of doing this you should share it. I may start working on web pages again if I can find a way to keep spammers at bay.

Back to top
Profile PM Email Website
bitJericho
22
Years of Service
User Offline
Joined: 9th Oct 2002
Location: United States
Posted: 13th Jun 2010 05:39 Edited at: 13th Jun 2010 05:48
Link
Hmm, interesting. Perhaps I should effectively ban any user who's IP address changes frequently then (by simply not worrying about them. With my system, they'd have to login at each IP change)

The method I'm developing, works as such:
- The user visits the site and logs in
- I record the IP and some other info
- I create a hash that doesn't use the IP and store it in a cookie
- I take the cookie hash, append the ip and hash it again, and store it in the database
- when the user visits a page, the cookie stored hash is run through the server and hashed again with the user's IP
- this is then compared against the db hash, if there's a match, the user is authenticated.

I think I'm also going to implement a table to store (a limited number of) multiple hashes per user, so the user can visit from other IPs without having to relogin.

My method is a little more complex, but this is the gist of it.

Back to top
Profile PM Email Website
GIDustin
16
Years of Service
User Offline
Joined: 30th May 2008
Location:
Posted: 13th Jun 2010 05:55 Edited at: 13th Jun 2010 05:56
Link
Quote: "Perhaps I should effectively ban any user who's IP address changes frequently then"


Well, when I said ban I didn't mean restrict complete access. If the user visits with an IP that has been linked with known proxies or an IP that changes often, that user is unable to login or use any interactive content. They can view, but not sign guestbooks. They can view, but not participate in front page chat systems. That sort of thing. Your login script could check the user's IP against this list before it begins it's checks to reduce server load.

Your system is very similar to my last one, with the exception of the hash created using the IP. I just store the IP in plain text in the same SQL table as the hash IDs and check against that. Effectively the only thing stored on the user's PC in cookie form is the one hash ID. If that hash ID is every used on another IP, it's deleted for security reasons.

Since your system is pretty much where I ended up after 7 revisions, I have little to contribute here, but I am interested in other people's opinions too. I wonder how the big wigs like Yahoo and Google deal with proxy servers...

Back to top
Profile PM Email Website
bitJericho
22
Years of Service
User Offline
Joined: 9th Oct 2002
Location: United States
Posted: 13th Jun 2010 06:04
Link
Hmm, yeah, I suppose I could just store it plain text

I guess I was suffering from complexity fever I'm going to revise my system, since having a few more if/then checks would probably be faster than multiple hashings.

With my system as it stands, the user won't be banned, they'll just simply be effectively blocked from being able to stay logged in.

As for your issue with proxies, block em on the server side, rather than your script. Find proxy ban lists.

You can also use something like http://akismet.com/

Back to top
Profile PM Email Website
Back to top

Login to post a reply

Server time is: 2025-05-07 02:02:50
Your offset time is: 2025-05-07 02:02:50