PHP authentication

From Rixort Wiki

Revision as of 17:25, 8 April 2023 by Paul (talk | contribs) (→‎Session cookies)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

Jump to navigation Jump to search

Login

Store hash of password in database
Check password by fetching row based on username, then use password_verify (which is safe against timing attacks)
After a successful verification, call password_needs_rehash to see if the hash needs to be updated, e.g. if you have increased the hash cost

Session cookies

Whether you use the built-in functionality or setcookie, you need to ensure that:

Sessions are only sent in cookies, not URL parameters (session.use_cookies = 1)
Only send session cookies for HTTP requests (session.cookie_httponly = 1 or $options['httponly'] = true)
Only send cookies for secure requests (session.cookie_secure = 1 or $options['secure'] = true)
Cookies are restricted to the domain (session.cookie_domain = "example.org" or $options['domain'] = 'example.org')

Things you might want to consider:

Regenerate the session ID regularly - this might be important for applications where users stay logged in for a long time, e.g. the entire working day
Regenerate the session ID when privileges are changed
Restricting cookies to the subdomain, e.g. if you use www.example.org then cookies should be set for that domain and not example.org

Retrieved from ‘https://wiki.rixort.com/index.php?title=PHP_authentication&oldid=1345’