I’m writing a login system for a website I’m building.
Here is the essence of how I’m implementing the login system:
I have two tables: users, and sessions.
users: uid | uname | pass
sessions: sid | uid | ts | ts_expires
So the user enters a uname/pass combination.
- if the combination is incorrect, I redirect to a “bad auth” page.
- if the combination is correct, I:
- generate a random sessionid (
sid) - insert a record into
sessionsassociating that sid with the uid of the username supplied. - set a cookie named
sidwith the value of the randomsidjust inserted intosessions.
- generate a random sessionid (
On each page that needs the user to be logged in, I check:
- whether the cookie is set
- if the sid is valid
So my questions are:
- What could be potential problems with this mechanism?
- How should a good login system be implemented?
PS: I don’t use SSL secured login yet. So that is the only problem I spot, as of now. And oh, I use php and mysql, if that is relevant.
EDIT: I store the passwords not in plaintext, but as an MD5 of the username concatenated with the password.
So, pass = MD5($uname.$pass), so to speak.
Hash that password, with a salt! Use a strong hash like bcrypt. If you have to use MD5/SHA use a technique called stretching and hash it’s hashes several thousand times. The user won’t care if it takes a second to check his/her password instead of 1/1000, but a brute force cracker will.
Record attempts and prevent brute force attempts.
Be very cautious of where you store the user’s credentials once he logs in. You don’t want them changing it.
And use SSL!