Databases
StackOverflow2013
Postsdbo
POSmart PHP Session Handling/ Security
 

Note that there are some explanatory texts on larger screens.

plurals
  1. POSmart PHP Session Handling/ Security
    primarykey
    data
    text
    <p>I've decided the best way to handle authentication for my apps is to write my own session handler from the ground up. Just like in Aliens, its the only way to be sure a thing is done the way you want it to be.</p> <p>That being said, I've hit a bit of a roadblock when it comes to my fleshing out of the initial design. I was originally going to go with PHP's session handler in a hybrid fashion, but I'm worried about concurrency issues with my database. Here's what I was planning:</p> <ol> <li><p>The first thing I'm doing is checking IPs (or possibly even sessions) to honeypot unauthorized attempts. I've written up some conditionals that sleep naughtiness. Big problem here is obviously WHERE to store my blacklist for optimal read speed.</p></li> <li><p>session_id generates, hashed, and gets stored in $_SESSION[myid]. A separate piece of the same token gets stored in a second $_SESSION[mytoken]. The corresponding data is then stored in <strong>TABLE X</strong> which is a location I'm not settled on (which is the root of this question).</p></li> <li><p>Each subsequent request then verifies the [myid] &amp; [mytoken] are what we expect them to be, then reissues new credentials for the next request.</p></li> <li><p>Depending on the status of the session, more obvious ACL functions could then be performed.</p></li> </ol> <p>So that is a high level overview of my paranoid session handler. Here are the questions I'm really stuck on:</p> <p><strong>I. What's the optimal way of storing an IP ACL? Should I be writing/reading to hosts.deny? Are there any performance concerns with my methodology?</strong></p> <p><strong>II. Does my MitM prevention method seem ok, or am I being overly paranoid with comparing multiple indexes? What's the best way to store this information so I don't run into brick walls at 80-100 users?</strong></p> <p><strong>III. Am I hammering on my servers unnecessarily with constant session regeneration + writebacks? Is there a better way?</strong></p> <p>I'm writing this for a small application initially, but I'd prefer to keep it a reusable component I could share with the world, so I want to make sure I make it as accessible and safe as possible.</p> <p>Thanks in advance!</p>
    singulars
    1. This table or related slice is empty.
    1. This table or related slice is empty.
    1. PTQuestion
    1. This table or related slice is empty.
    1. USVSack
    plurals
    1. This table or related slice is empty.
    1. This table or related slice is empty.
    1. This table or related slice is empty.
    1. PO
      singulars
      1. PTAnswer
    2. PO
      singulars
      1. PTAnswer
    1. VO
      singulars
      1. POSmart PHP Session Handling/ Security
      1. This table or related slice is empty.
      1. VTUpMod
    2. VO
      singulars
      1. POSmart PHP Session Handling/ Security
      1. This table or related slice is empty.
      1. VTUpMod
    3. VO
      singulars
      1. POSmart PHP Session Handling/ Security
      1. USMatej Kovac
      1. VTFavorite
    1. COI've been considering all comers to froma technology standpoint: plain-text, mysql (worried about locking), NoSQL ala Mongo, etc. I'm open to all suggestions!
      singulars
      1. POSmart PHP Session Handling/ Security
      1. USVSack
    2. COif every request you reissue new credentials for the next request, probably you'll break tab-based navigation. Also, there are companies with more than one internet connection (redundancy, load balancing) and so two requests of the same user may come from two different IP adresses.
      singulars
      1. POSmart PHP Session Handling/ Security
      1. USCarlos Campderrós
    3. COI'm definitely taking into consideration the multiple IP issue by doing a sanity check on the IP for deny requests only, but leaving the man-in-the-middle check for session_id.
      singulars
      1. POSmart PHP Session Handling/ Security
      1. USVSack
 

Querying!

 
Guidance
A row detail

Detail views are divided into sections. All the information in the data section comes from columns in the selected row. The other sections display data from other, related rows.

Related data can be related in a to-one or a to-many fashion. Captions of data related in a to-many fashion link to a list view showing a filtered view of the table.

Try moving around until you find a non-empty to-many entry and click on the label to get to one. You can move back to the root by clicking on the database name in the header.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload