PHP authentication: Difference between revisions
Jump to navigation
Jump to search
No edit summary |
No edit summary |
||
| Line 4: | Line 4: | ||
* Check password by fetching row based on username, then use password_verify (which is safe against timing attacks) | * Check password by fetching row based on username, then use password_verify (which is safe against timing attacks) | ||
* After a successful verification, call password_needs_rehash to see if the hash needs to be updated | * After a successful verification, call password_needs_rehash to see if the hash needs to be updated | ||
== Session cookies == | |||
Whether you use the built-in functionality or something else, you need to ensure that: | |||
* Sessions are only sent in cookies, not URL parameters (session.use_cookies = 1) | |||
* Only send session cookies for HTTP requests (session.cookie_httponly = 1 or $options['httponly'] = true) | |||
Revision as of 16:14, 8 April 2023
Login
- Store hash of password in database
- Check password by fetching row based on username, then use password_verify (which is safe against timing attacks)
- After a successful verification, call password_needs_rehash to see if the hash needs to be updated
Session cookies
Whether you use the built-in functionality or something else, you need to ensure that:
- Sessions are only sent in cookies, not URL parameters (session.use_cookies = 1)
- Only send session cookies for HTTP requests (session.cookie_httponly = 1 or $options['httponly'] = true)