On 23 June 2010 07:44, Tommy Pham <tommyhp2@xxxxxxxxx> wrote: >> -----Original Message----- >> From: James Colannino [mailto:james@xxxxxxxxxxxxx] >> Sent: Tuesday, June 22, 2010 10:06 PM >> To: PHP-General List >> Subject: Re: Question about logins and locking >> >> Tommy Pham wrote: >> >> > 1) Set an encrypted (to prevent hijacking and eavesdropping) cookie to >> > expire when browser closes >> > 2) Have a table in the DB backend to keep track if the user is logged >> > in or not and when was the last time the validated user access your >> > site (this gets updated when the user visit a link on your site by >> > checking the cookie and the DB entry of the session ID) >> > 3) Set your session timeout accordingly to you security requirement >> > 4) Have a javascript on a timeout to self-logoff should the user is >> > AFK longer than your session timeout. >> > >> > If another user or if the same user tries to login with a different >> > browser, you can check the status of the user. If the user is logged >> > in, you can deny it after the authentication. Should the user closes >> > the browser without having to logoff, you can check when was the last >> > time the user accessed your site and see if it's been longer than your >> session timeout. >> > For security purposes, you can optionally send a courtesy email >> > notifying that the user didn't logout properly since last accessed. >> > This way, you can track whether if the user's system is compromised in >> > some way or not. It all depends on what kind of application, service, >> > user level access, and the strict security you require. >> >> Thanks Tommy. That was very helpful, and some of it is similar to how I > was >> thinking of doing it. >> >> James >> > > Forgot 1 more thing, if you really want to be strict about security, you can > set a very highly secured permanent cookie on the user's system on the first > initial login. You can send them a confirmation code, that it's really who > they say they are, to the email address. Then the user will need to submit > that confirmation code along with the current password as part of the > initial logon process. So if a hijacker or eaves dropper try to logon with > your user's info on another system, a new confirmation code would be sent to > your user's email address. Your user would then know their identity has be > stolen. Setting this up will entail slight modification to your app and DB > design but will have better overall security. Again, evaluate your needs > and services ;) > > Regards, > Tommy > > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > > There is a project dealing with creating a secure login for a web site. It is being developed multi-lingually and across multiple languages (PHP, VB.net, etc.). Take a look at https://code.google.com/p/loginsystem-rd/ -- ----- Richard Quadling "Standing on the shoulders of some very clever giants!" EE : http://www.experts-exchange.com/M_248814.html EE4Free : http://www.experts-exchange.com/becomeAnExpert.jsp Zend Certified Engineer : http://zend.com/zce.php?c=ZEND002498&r=213474731 ZOPA : http://uk.zopa.com/member/RQuadling -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
