PHP authentication: Difference between revisions

Revision as of 16:25, 8 April 2023

Store hash of password in database
Check password by fetching row based on username, then use password_verify (which is safe against timing attacks)
After a successful verification, call password_needs_rehash to see if the hash needs to be updated, e.g. if you have increased the hash cost

Whether you use the built-in functionality or setcookie, you need to ensure that:

Sessions are only sent in cookies, not URL parameters (session.use_cookies = 1)
Only send session cookies for HTTP requests (session.cookie_httponly = 1 or $options['httponly'] = true)
Only send cookies for secure requests (session.cookie_secure = 1 or $options['secure'] = true)
Cookies are restricted to the domain (session.cookie_domain = "example.org" or $options['domain'] = 'example.org')

Things you might want to consider:

Regenerate the session ID regularly - this might be important for applications where users stay logged in for a long time, e.g. the entire working day
Regenerate the session ID when privileges are changed
Restricting cookies to the subdomain, e.g. if you use www.example.org then cookies should be set for that domain and not example.org

@@ Line 12: / Line 12: @@
 * Only send session cookies for HTTP requests (session.cookie_httponly = 1 or $options['httponly'] = true)
 * Only send cookies for secure requests (session.cookie_secure = 1 or $options['secure'] = true)
+* Cookies are restricted to the domain (session.cookie_domain = "example.org" or $options['domain'] = 'example.org')
 Things you might want to consider:
@@ Line 17: / Line 18: @@
 * Regenerate the session ID regularly - this might be important for applications where users stay logged in for a long time, e.g. the entire working day
 * Regenerate the session ID when privileges are changed
+* Restricting cookies to the subdomain, e.g. if you use www.example.org then cookies should be set for that domain and not example.org