I'm developing a login and authentication system for a new PHP site and have been reading up on the various attacks and vulnerabilities. However, it's a bit confusing, so I want to check that my approach makes sense.
I plan on storing the following data:
In the session: user-id, hashed + salted HTTP_USER_AGENT
In the cookie and in the database: random token, hashed + salted identifier
On every page, I plan on doing the following:
If a session exists, authenticate using that. Check that the HTTP_USER_AGENT
matches the one in the stored session.
If no session exists, use the cookie to authenticate. Check that the token and identifier in the cookie match those in the database.
If the cookie is invalid or doesn't exist, ask user to login.
Are there any obvious flaws in this? As long as I set a timeout in the cookie, I should be fairly safe, right? Is there anything I'm missing?
Many thanks in advance.
See Question&Answers more detail:
os 与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…