December 5th, 2001, 12:36 PM
Which log-in / auth method to use?
This is a general question, not related to a particular lang. or database system.
I want to have "members only" sections on my site. This means they log-in.
Now how do I go about this? There is my idea for now:
- User creates account, if he wan't to be logged-in permanently, a permanent cookie is stored on the client's computer with username and password only. (maybe do a basic encrypt on password?)
- User gets a request to log-in, where he enters username+password, or the script read directly username and password from the cookie.
- The script checks the values against the users table of the database. If everything is ok, then
- The script creates an MD5 digest with the username, password and IP adress (or whatever combinaison) and writes to a table called "browsing" the following information: User name, user access level, user IP adress, login date/time, last page view date/time and the MD5.
- The same MD5 is written in a temp cookie that gets deleted at the end of the browser session, or the MD5 is passed thru the script pages by an hidden field or directly in the url.
- When a user browses, it reads the MD5 from cookie or form and compares to the browsing table to check if the user is logged and have right permission to view page.
- The browsing table gets cleaned every, let's say, 15 minutes by a crontab that removes any row where the last page view is more than 15 minutes away. So if a user is static for more than 15 minutes, he'll have to re-login or if the cookie is set the script will re-log him automatically.
Is this approach good?
Do you see any security risk using this method?
Would you improve it? and how?
Would it put a lot of load on the DB? Is there a better way?
Any feedback appreciated.
December 5th, 2001, 09:57 PM