PHP login security


#1

Hello PHP experts, I am hoping that someone can shed some light on the subject of login security. I am a beginner and i do not know enough about backend programming. Before i babble, let me get to the point:

how is a check for a session variable supposed to be secure? so we simply match a username and password with a database record. I feel like hackers will have no problem getting by a challenge as simple as if (isset($_SESSION[‘username’])).

is it possible to use something like fiddler to set a username to anything, then gain access? i feel very uncomfortable with this method, yet i do not know what i can do to be certain that a user is authentic.

should we assign a secret pin number in a session variable as well? should we consistently check the database for a correct username? should we also verify that any username session variable has also submitted a valid password? should we also lock the session to the domain?

since we cannot see the source code for big corporations, i wonder if, say Microsoft, is challenging a login with a simple if (isset($_SESSION[‘username’]))?

how can this be secure? anyone have suggestions for a better authentication method?


#2

$_SESSION works differently from other super globals and a user can not directly access it from the client side (unline COOKIE, REQUEST, etc).

It works like this:

  1. A client sends a request to your PHP script, no session exists at this time.
  2. The PHP script runs session_start, which behinds the scenes:
    • Creates a session store wherever the server has configured it (file, memory)
    • sends a PHPSESSID cookie in the response to the client (cookie only contains the session id, nothing actually stored in the session)
  3. The client stores the PHPSESSID cookie
  4. The client sends a new request including the PHPSESSID cookie
  5. The PHP script runs session_start, which behinds the scenes:
    • sees that the client has a PHPSESSID cookie
    • loads the session data belonging to this ID

The session data stays on the server and only the ID is ever exposed to the end user.

You can of course brute force (guess) the session ID, but it is highly unlikely you will successfully generate one.

If you do not feel confident about auth you may not want to handle it yourself (most of us shouldn’t). If so you can either:

  • Use an existing auth library for PHP, most large frameworks include one.
  • use a 3rd party service, ie https://auth0.com/

#3

Hello Jim and Thank you for the informative post. Very helpful. :smile:

I was reading about JSON Web Tokens and the Firebase library. I didn’t know about this process. I used to read RFCs regularly but i have failed to keep up with technology for many years now.

I will definitely read more about JSON Web Tokens and also look at using a library for logins. I am not comfortable handling a login and authentication. I am simply nescient of the subject. Not a good idea to implement code that is not fully understood.

Time to seek out some libraries…