PHP authentication: Difference between revisions

From Rixort Wiki
Jump to navigation Jump to search
← Older editNewer edit →
Line 3: Line 3:
* Store hash of password in database
* Store hash of password in database
* Check password by fetching row based on username, then use password_verify (which is safe against timing attacks)
* Check password by fetching row based on username, then use password_verify (which is safe against timing attacks)
* After a successful verification, call password_needs_rehash to see if the hash needs to be updated
* After a successful verification, call password_needs_rehash to see if the hash needs to be updated, e.g. if you have increased the hash cost


== Session cookies ==
== Session cookies ==

Revision as of 16:22, 8 April 2023

Login

  • Store hash of password in database
  • Check password by fetching row based on username, then use password_verify (which is safe against timing attacks)
  • After a successful verification, call password_needs_rehash to see if the hash needs to be updated, e.g. if you have increased the hash cost

Session cookies

Whether you use the built-in functionality or setcookie, you need to ensure that:

  • Sessions are only sent in cookies, not URL parameters (session.use_cookies = 1)
  • Only send session cookies for HTTP requests (session.cookie_httponly = 1 or $options['httponly'] = true)
  • Only send cookies for secure requests (session.cookie_secure = 1 or $options['secure'] = true)

Things you might want to consider:

  • Regenerate the session ID regularly - this might be important for applications where users stay logged in for a long time, e.g. the entire working day
  • Regenerate the session ID when privileges are changed
Retrieved from ‘https://wiki.rixort.com/index.php?title=PHP_authentication&oldid=1344