Sign in to follow this  
rajend3

[web] php login script help needed

Recommended Posts

I'm trying to program a login script in php can anyone let me know if there will be a problem with my script. 1. get login information (email, password) 2. make sure email & password pair exists in member table 3. make sure session_id field in members table is null 4. store session_id in members table 5. when user logs out set session_id in members table null What I am trying to do is stop multiple users from logging in with the same email and password pair. Will storing session_id in this way stop it?

Share this post


Link to post
Share on other sites
Quote:
Original post by rajend3
What I am trying to do is stop multiple users from logging in with the same email and password pair. Will storing session_id in this way stop it?

The only problem I see with checking against the session id is if the same user attempts to log in two or more times in quick succession after an unexpected session dump. For example, say someone enters the site, you mark him/her as logged in, and then that user accidentally closes their browser. The user starts back up, goes to log in, but gets an error saying that they're already logged in.

Instead of checking the session id, I think checking the IP address would be more meaningful. Since the IP address will remain the same (usually) across multiple sessions, you can check the user's IP with the one stored in the members table (if any), see if it's the same or different, and then proceed with authentication from there.

Also, an extra step to add to your login process if not already there:

1.5 - Check for SQL injections.

Share this post


Link to post
Share on other sites
If I use the user's IP address and they are behind a NAT will it be possible for another user behind the same NAT to login with the same email & address pair?

Also, as far as SQL injection goes are the mysql_real_escape_string() and stripslashes() enough to stop this kind of attack?

Share this post


Link to post
Share on other sites
I would probably just use sessions and log previous users out if a new session is authenticated. This way there is only ever one active session, but if a legitimate user accidentally is logged twice (say on two workstations) or didn't logout correctly that your application handles it gracefully.

Meanwhile, two users attempting to share a common account will be constantly logging each other out. Depending on the nature of your application, this might cause enough frustration that they will get separate accounts.

Quote:
Original post by rajend3
If I use the user's IP address and they are behind a NAT will it be possible for another user behind the same NAT to login with the same email & address pair?

Yes, users that share a NAT share an IP address as far as the other end point is concerned. Their port numbers will differ however.
Quote:

Also, as far as SQL injection goes are the mysql_real_escape_string() and stripslashes() enough to stop this kind of attack?

A parameterised query is another method.

Share this post


Link to post
Share on other sites
A few questions.

Why are you worried about the same account being logged into by two different clients simultaneously? How does this effect your code? A more reasonable fear would be that a users account is compromised by a 3rd party that could either steal information, or make unwanted changes.

(Personally, I like to regenerate session ID's semi-frequently, not store them. This helps prevent session hijacking.)

If you are worried about a user viewing two separate pages simultaneously with the same account, and this somehow leads to a security vulnerability, then this is not the correct fix. Your php back-end should have better test procedures.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

Sign in to follow this