I really have a lot of questions about this specific area. But basically I just want to know how to create the most efficient and secure php session communication method. I have read so many websites talking about this and they don't seem to agree or relate to my current situation.
My problem is that I don't know how to create login, sessions, cookies, registration etc. properly to match a high security level. This is my idea so far.
1. PHP SESSIONS
I will start a session after the login has been made. I know that there are different ways for me to handle these but at the moment I have created a session variable like so $_SESSION['user'] which lets me store the users e-mail address during the session. Then I have a problem when the session is ended with the server. That leads me to the next property.
2. COOKIES
With cookies I would be able to store the e-mail address and the hash encoded password and then be able to recreate a session based on these login information.
<?
session_start();
require_once('config.php'); //retrieved from the servers include folder specified on the apache server.
// if session is closed that means that there wouldn't be stored a session variable called 'user' anymore.
if ($_SESSION['user'] == '') {
// if the cookie hasn't been set..
if ($_COOKIE['user'] == '') {
// ... close the session and return to the login page
session_destroy();
header('Location: login.php?err=4'); // err=4 means session ended
} else {
// We don't know wether the user has logged in using e-mail or username, so that's why we connect using either email or username.
$sql = 'SELECT * FROM login WHERE (email = :user and password = :psw) or (username = :user and password = :pass)';
$statement = $conn->prepare($sql);
$statement->bindParam(':user', $_COOKIE['user'], PDO::PARAM_STR);
$statement->bindParam(':psw', $_COOKIE['psw'], PDO::PARAM_STR);
if ($statement->execute() && $row = $statement->fetch()) {
$_SESSION['user'] = $_COOKIE['user'];
} else {
// Failed to retrieve data somehow.
}
}
}
?>
But then I have read that the session_id() also is a cookie stored value, which will be the same every time I recreate the session. So I actually don't have to match the values to the server again, cause I can simply start session again and continue from where I left.. But I see this as a security break, since that if the session_id() has been retrieved by somebody else, they will be able to connect using same session_id() etc.
3. I also need to use the values from other domains
I know that it is possible to use the same login-details from another website e.g. Facebook, Google etc. I want to be able to reuse the same login for all the domains I am working with, but how do I secure that only mine (registered) domains can have access to the login information, and not other sites?
4. Is there another secure way?
This is actually my question. I am not sure that what I have done or planned is highly secure, and I definitely don't think that my newbie experience is good enough to create a login-secure database connection. So I would like to know if anybody could link me to the official page of the right way to store and use login details in PHP in the most efficient and secure manner.
PHP sessions are the way-to-go when you want to handle logins in PHP. To do this in a save manner you should make sure that your session data is stored on your server and the client only has a session_id in a cookie.
Every time you have a security-level change (login, logout etc), you should regenerate the session id to ensure more safety (old stolen session id's will become unusable). You should also make the session cookie http_only, which will make it impossible to steal the cookie using JavaScript.
From a security perspective I would recommend you to never use cookies to store sensitive information. Information stored in cookies are not save, they are stored on the clients computer and can be altered or stolen.
Google and Facebook make logging in to all kinds of websites possible using openAuth(2). I'm not sure whether that would be usable for you, but cookies will only be accessible by at most one domain.
I would recommend using PHP sessions, they are secure if you handle them correctly. If you are not really sure how to do that you could take a look at some good PHP frameworks. I know from experience that the Laravel framework has a good login-handler.
Sessions already use cookies to keep the session. If you configure it properly, you can keep sessions open indefinitely, if that's what you want to do (unless the user deletes cookies, but then your cookie-based solution won't help either). Anything you build yourself with cookies will probably be less secure than that, so I wouldn't bother with it. Properly configure the session settings of course.
Reusing information across domains is a complex field. If they are all backed by the same database, just let the user log in on any site. You will need to manage separate sessions (read: user will need to log into each site separately, but can use the same user/password) or built some pretty complex cross-domain session sharing (hint: you probably don't want to). If you want to go for a more complex solution (e.g. because your domains don't share a central database), google "single-sign on" and prepare for hours, days and weeks of reading.