Quote:
Originally Posted by daveT
What's interesting is that the account-confirmation page redirects to 404 if you tried to type it into the browser. Is that how PHP, etc., works?
Forgot this part.
Um, well not really. There isn't a specific, defined way for handling user authentication in PHP. I guess if you wanted you could send back 404 headers anytime someone tries to access a page without being authenticated, but there are better ways of doing that.
I use sessions for handling access control. Python and Ruby can do sessions as well. Sessions allow you to maintain persistent data over the course of multiple requests. When a user successfully logs in, the server assigns them a unique ID. It's also possible to assign custom session variables to the user.
For me, when a user logs in successfully, their session ID gets regenerated to a new value. There are also session variables set for the unix time of their last activity, their username, a user ID number they don't know, and an SHA1 hash of a string containing their session ID, their browser's user agent, and some other value that I can't remember. I think it's their internal user ID that they don't know.
At the start of every PHP script that I only want authenticated users to access, there is a function for authentication. It first checks to see if the session variables that were set during login are still set. If not, they get redirected out to the login page.
It then calculates the same SHA1 hash of items and compares the result to the session variable of the same. If the values match, the script proceeds. If not, they get redirected out.
The reason for this step is to protect against session hijacking. By confirming an unknown, unique, predictable value, it becomes difficult for an attacker to misrepresent their identity to the server. Although session IDs are unique and are regenerated after login, they can be obtained by the user. This method requires an attacker to obtain an identical user agent string, the unique session ID, a confidential value stored in a database, as well as the order to place them in an SHA1 hash.
Finally, it gets the current unix time and subtracts the value of the last activity session variable. If the difference is less than 3600 seconds (1 hr), it resets the last activity session var to whatever the current time is. If it's more than 3600, they get redirected to the login with a message that their session has timed out.