MyBB Community Forums

MyBB Community Forums > Community > General Discussion > Web Development and Administration > Login System
Full Version: Login System
You're currently viewing a stripped down version of our content. View the full version with proper formatting.

Firestryke31

2011-02-07, 11:23 PM
I'm creating a site where users need to log in to perform certain actions, and have 2 issues I need to solve before I can continue:

1) How should I handle the password client-side? I know not to store it plain-text server side, my problem comes from transmitting it over a non-https connection. Should I really care though?

2) How should I go about storing a persistent login, like MyBB's "remember me" option, in a cookie? Storing the password is dumb, but I need some way to validate a user after a period of time has passed. Should I store the server-side representation?

Note that I can't just copy how MyBB does it, as MyBB is under the GPL and I refuse to release anything under it, and would rather avoid it altogether.

I'm working in PHP, and while I think security is important, I don't know how much is important and how much is overkill as I've never needed to write a script like this before (MyBB's always handled the login and registration stuff for me).

Thank you for your help!

Zack Magee

2011-02-07, 11:26 PM
Well, you can use a javascript function to sha2 it before posts.

Every user can get a session hash, unique, stored in the db. Cookie will hold that.

Firestryke31

2011-02-07, 11:42 PM
Which fails if Javascript is disabled. I don't know if it's overkill though to encrypt it before sending to the server, since usually it's easier to get it through other means anyway.

The problem with session hashes is they should only last for the session. I want something like here where the user stays logged in for, well, until they log out.

Zack Magee

2011-02-09, 09:59 PM
Like a permanant session ID. Stored in the user table.

Lo.

2011-02-09, 11:01 PM
Why use JS? Why not just hardcode it in?

Scoutie44

2011-02-10, 03:46 AM
(2011-02-07, 11:42 PM)Firestryke31 Wrote: [ -> ]The problem with session hashes is they should only last for the session. I want something like here where the user stays logged in for, well, until they log out.

Not exactly sure how MyBB's works, but I haven't been logged out in ages. For security purposes though you'd want to assign a new random string per cookie anyways, rather than an outdated cookie still working.

One option I guess is to add a separate table to log logins (just the user id and timestamp) then create a cookie using just the uid + timestamp all jumbled up (md5 or whatever you'd use) to check the cookie's contents against the login table. This would allow you to create cookies for multiple computers/browsers yet still have unique keys which can be independently removed from the login table when the user logs out.

Just how I would go about it.

fizz

2011-02-10, 04:42 AM
Permanent cookie could work, try using a similar system to a login system with the cookie to remember if they're logged in.

Hash a combination of a secret key and the time of login or something and store that with the cookie to authorize it when they visit the page again.
MyBB Community Forums > Community > General Discussion > Web Development and Administration > Login System