On 23 June 2010 07:44, Tommy Pham <tommy...@gmail.com> wrote:
>> -----Original Message-----
>> From: James Colannino [mailto:ja...@colannino.org]
>> Sent: Tuesday, June 22, 2010 10:06 PM
>> To: PHP-General List
>> Subject: Re: [PHP] Question about logins and locking
>> Tommy Pham wrote:
>> > 1) Set an encrypted (to prevent hijacking and eavesdropping) cookie to
>> > expire when browser closes
>> > 2) Have a table in the DB backend to keep track if the user is logged
>> > in or not and when was the last time the validated user access your
>> > site (this gets updated when the user visit a link on your site by
>> > checking the cookie and the DB entry of the session ID)
>> > 3) Set your session timeout accordingly to you security requirement
>> > AFK longer than your session timeout.
>> > If another user or if the same user tries to login with a different
>> > browser, you can check the status of the user. If the user is logged
>> > in, you can deny it after the authentication. Should the user closes
>> > the browser without having to logoff, you can check when was the last
>> > time the user accessed your site and see if it's been longer than your
>> session timeout.
>> > For security purposes, you can optionally send a courtesy email
>> > notifying that the user didn't logout properly since last accessed.
>> > This way, you can track whether if the user's system is compromised in
>> > some way or not. It all depends on what kind of application, service,
>> > user level access, and the strict security you require.
>> Thanks Tommy. That was very helpful, and some of it is similar to how I
>> thinking of doing it.
> Forgot 1 more thing, if you really want to be strict about security, you can
> set a very highly secured permanent cookie on the user's system on the first
> initial login. You can send them a confirmation code, that it's really who
> they say they are, to the email address. Then the user will need to submit
> that confirmation code along with the current password as part of the
> initial logon process. So if a hijacker or eaves dropper try to logon with
> your user's info on another system, a new confirmation code would be sent to
> your user's email address. Your user would then know their identity has be
> stolen. Setting this up will entail slight modification to your app and DB
> design but will have better overall security. Again, evaluate your needs
> and services ;)
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
There is a project dealing with creating a secure login for a web
site. It is being developed multi-lingually and across multiple
languages (PHP, VB.net, etc.).
Take a look at https://code.google.com/p/loginsystem-rd/
"Standing on the shoulders of some very clever giants!"
EE : http://www.experts-exchange.com/M_248814.html
EE4Free : http://www.experts-exchange.com/becomeAnExpert.jsp
Zend Certified Engineer : http://zend.com/zce.php?c=ZEND002498&r=213474731
ZOPA : http://uk.zopa.com/member/RQuadling
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php