PHP authentication

From Rixort Wiki

Revision as of 16:14, 8 April 2023 by Paul (Sọ̀rọ̀ | contribs) (→‎Session cookies)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

Jump to navigation Jump to search

Login

Store hash of password in database
Check password by fetching row based on username, then use password_verify (which is safe against timing attacks)
After a successful verification, call password_needs_rehash to see if the hash needs to be updated

Session cookies

Whether you use the built-in functionality or setcookie, you need to ensure that:

Sessions are only sent in cookies, not URL parameters (session.use_cookies = 1)
Only send session cookies for HTTP requests (session.cookie_httponly = 1 or $options['httponly'] = true)
Only send cookies for secure requests (session.cookie_secure = 1 or $options['secure'] = true)

Retrieved from ‘https://wiki.rixort.com/index.php?title=PHP_authentication&oldid=1342’