recently I tried to like “develop” my own login system. I am sure someone already did this before, but this is a summary of how it works.
Of course, there is a “members” table which contains data like ID, username, bcrypt encrypted password, email, and other data.
Secondly, there is another database called “sessions”, it contains a custom session hash, and user’s ID.
Now, when someone logins, after all checks have been done, the script would generate a unique 32 chars long hash, and store it in user’s session information. The same session hash would be inserted into the “sessions” database, together with the ID, of the user which logged in.
When it checks if the session is valid, it would check if this session exists in the database. If it does, then check if the user’s last action was more than 15 minutes ago. If it is, then the session has expired, and delete it from the database, thus logging the user out.
I would like to hear your opinions on this system, and how can I improve it.
Thanks!
Many things you can do, but your system is pretty much right on. The only thing I can suggest is storing the IP address of the remote user in the session table as well. If you don’t do this, then your app will be vulnerable to session theft. This is less of a problem if you make sure that the session hash is always sent over SSL, but if not, it is possible that someone can get that 32 character session hash and use it to steal someone’s session and gain access to the system without logging in.
So, you would check to make sure that when you check for a valid session in the sessions table, you also check that the ip address still matches. The only draw back is that for some valid users, their ip address may change in the middle of a session, thus logging them out while they are doing something. This is less of a problem these days as broadband is more and more popular.