[Phplib-users] (no subject)

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

Hi there

I'm thinking of using pre-authorisation on a new site I'm involved in developing.

Assuming I dont want to use rabbit intestines, but instead want to use cookies, this is what I reckon is involved.

A.
Modify my auth_validatelogin() to set a cookie once the user has been validated - eg
	setcookie("ckUser",$uid,time()+360000); // Valid for 100 hours ie approx 4 days
and to clear the cookie if validation fails (not sure how this could happen, but lets be safe)
	setcookie("ckUser","",time()-3600);

B.
Write an auth_preauth something like this:
   function auth_preauth() {
      //Very basic check to prove the concept
      global $HTTP_COOKIE_VARS;
      $uid = $HTTP_COOKIE_VARS['ckUser'];

      if (empty($uid)) {

         return false;

      } else {

         $this->db->query(sprintf("select username,perms,password from %s where user_id = '%s'",
                                $this->database_table, $uid));

         while($this->db->next_record()) {
            $username = $this->db->f("username");
            $perm  = $this->db->f("perms");
         }

         if (empty($username)) {
            return false;
         } else {
            $this->auth["uname"] = $username;
            $this->auth["perm"]  = $perm;
            return $uid;
         }
      }

C.
and finally override auth_unauth():
  function unauth() {
    $this->auth["uid"]   = "";
    $this->auth["perm"]  = "";
    $this->auth["exp"]   = 0;
    setcookie("ckUser","",time()-3600);
  }

OK then. Firstly - is this the approach you would take, or have taken? Is there a better way?

Secondly - what are the security implications? Should I be storing the UID? Is there a way to guarantee that someone hasnt stolen the cookie or faked it on another machine? (I thought of also keeping the IP address, but that wont work because of dynamic IP allocation).

Thanks for your thoughts!

Peter