I know the standard answer for anyone trying to implement user authentication is to use a ready built and tested library, but I’ve always loved reinventing the wheel.

I’ve create a user authentication and session data system in PHP, using the challenge-response technique to login. All private pages require a function at the beginning which verifies the session checking for session timeout, ip, browser and a 256bit token key. After verifying the session, it resets the timeout and generates a new token key.

The biggest weak point I can see at the moment however is the user registration. I haven’t written it yet, but it looks like I’m going to have to transmit from the client to the server either the password in plaintext, or a hashed version. Either way, if the packet is captured the snoop has all they need to login.

Is there an easy way to somehow encrypt it client side and decrypt server side? Or Perhaps send it in chunks with delays and dummy packets.

Also, if there are any other issues I may have missed please let me know.

• Log in asks for a challenge salt, and client hashes password before sending it
  hash(hash(password) . salt).
• To persist a session, client must have up to date token key and identical browser & IP to those that created the session.
• Naturally, all user inputs & ajax responses are checked before querying.