PHP authentication: Difference between revisions
Jump to navigation
Jump to search
No edit summary |
|||
Line 13: | Line 13: | ||
* Only send cookies for secure requests (session.cookie_secure = 1 or $options['secure'] = true) | * Only send cookies for secure requests (session.cookie_secure = 1 or $options['secure'] = true) | ||
* Cookies are restricted to the domain (session.cookie_domain = "example.org" or $options['domain'] = 'example.org') | * Cookies are restricted to the domain (session.cookie_domain = "example.org" or $options['domain'] = 'example.org') | ||
* Use strict mode (session.use_strict_mode = 1) | |||
* Set the SameSite attribute appropriately, probably to 'Strict' unless you really need another type (session.cookie_samesite = "Strict" or $options['samesite'] = 'Strict') | |||
Things you might want to consider: | Things you might want to consider: |
Revision as of 16:35, 8 April 2023
Login
- Store hash of password in database
- Check password by fetching row based on username, then use password_verify (which is safe against timing attacks)
- After a successful verification, call password_needs_rehash to see if the hash needs to be updated, e.g. if you have increased the hash cost
Session cookies
Whether you use the built-in functionality or setcookie, you need to ensure that:
- Sessions are only sent in cookies, not URL parameters (session.use_cookies = 1, session.use_only_cookies = 1)
- Only send session cookies for HTTP requests (session.cookie_httponly = 1 or $options['httponly'] = true)
- Only send cookies for secure requests (session.cookie_secure = 1 or $options['secure'] = true)
- Cookies are restricted to the domain (session.cookie_domain = "example.org" or $options['domain'] = 'example.org')
- Use strict mode (session.use_strict_mode = 1)
- Set the SameSite attribute appropriately, probably to 'Strict' unless you really need another type (session.cookie_samesite = "Strict" or $options['samesite'] = 'Strict')
Things you might want to consider:
- Regenerate the session ID regularly - this might be important for applications where users stay logged in for a long time, e.g. the entire working day
- Regenerate the session ID when privileges are changed
- Restricting cookies to the subdomain, e.g. if you use www.example.org then cookies should be set for that domain and not example.org
Do not mess around with options such as session.hash_function (removed as of 7.1 anyway). Your PHP distribution vendor should have set these to sensible values - if not you have bigger things to worry about.