PHP authentication: Difference between revisions
Jump to navigation
Jump to search
No edit summary |
|||
Line 16: | Line 16: | ||
* Set the SameSite attribute appropriately, probably to 'Strict' unless you really need another type (session.cookie_samesite = "Strict" or $options['samesite'] = 'Strict') | * Set the SameSite attribute appropriately, probably to 'Strict' unless you really need another type (session.cookie_samesite = "Strict" or $options['samesite'] = 'Strict') | ||
* Session lifetime is set to zero seconds, which in most browsers will mean the cookie is deleted when the browser is closed (session.cookie_lifetime = 0 or $options['expires'] = 0) | * Session lifetime is set to zero seconds, which in most browsers will mean the cookie is deleted when the browser is closed (session.cookie_lifetime = 0 or $options['expires'] = 0) | ||
Note you cannot rely on the session cookie being deleted when the browser is closed, as this behaviour is not controlled by PHP and many users leave their browsers open all the time anyway. However, you can delete the session identifier from the server (e.g. using garbage collection), which will effectively render the cookie useless because there will be no matching record. | |||
Things you might want to consider: | Things you might want to consider: |
Revision as of 16:41, 8 April 2023
Login
- Store hash of password in database
- Check password by fetching row based on username, then use password_verify (which is safe against timing attacks)
- After a successful verification, call password_needs_rehash to see if the hash needs to be updated, e.g. if you have increased the hash cost
Session cookies
Whether you use the built-in functionality or setcookie, you need to ensure that:
- Sessions are only sent in cookies, not URL parameters (session.use_cookies = 1, session.use_only_cookies = 1)
- Only send session cookies for HTTP requests (session.cookie_httponly = 1 or $options['httponly'] = true)
- Only send cookies for secure requests (session.cookie_secure = 1 or $options['secure'] = true)
- Cookies are restricted to the domain (session.cookie_domain = "example.org" or $options['domain'] = 'example.org')
- Use strict mode (session.use_strict_mode = 1)
- Set the SameSite attribute appropriately, probably to 'Strict' unless you really need another type (session.cookie_samesite = "Strict" or $options['samesite'] = 'Strict')
- Session lifetime is set to zero seconds, which in most browsers will mean the cookie is deleted when the browser is closed (session.cookie_lifetime = 0 or $options['expires'] = 0)
Note you cannot rely on the session cookie being deleted when the browser is closed, as this behaviour is not controlled by PHP and many users leave their browsers open all the time anyway. However, you can delete the session identifier from the server (e.g. using garbage collection), which will effectively render the cookie useless because there will be no matching record.
Things you might want to consider:
- Regenerate the session ID regularly - this might be important for applications where users stay logged in for a long time, e.g. the entire working day
- Regenerate the session ID when privileges are changed
- Restricting cookies to the subdomain, e.g. if you use www.example.org then cookies should be set for that domain and not example.org
Do not mess around with options such as session.hash_function (removed as of 7.1 anyway). Your PHP distribution vendor should have set these to sensible values - if not you have bigger things to worry about.