Developing a secure PHP login and authentication strategy

Question

I\'m developing a login and authentication system for a new PHP site and have been reading up on the various attacks and vulnerabilities. However, it\'s a bit confusing, so

Answer 1

Storing the cookie in the database is a HORRILBE idea. It means that if an attacker had a sql injection vulnerability he could immediately gain access without having to crack a hashed password.

Speaking of which you need to use sha256 for passwords, if you use md5() you are technically vulnerable to attack and you could be issued a CVE number.

NEVER generate your own Session id's, use session_start() and the $_SESSION super global.

This is a secure way to redirect people. If you don't die after header() the rest of the php code is STILL EXECUTED even though its not displayed by normal browsers (hackers still see it :)

header("location: index.php");
die();

To be honest if security confuses you, don't write security systems. People have written more than 1,000 login systems for PHP alone and the majority are vulnerable. This project has a secure authentication system: http://code.google.com/p/michael-the-messenger/downloads/list

Answer 2

Most sites just use the PHP session; the session data ($_SESSION) is in a file on your server. All that's sent to the browser is a session ID. Be sure to regenerate the session each request (session_regenerate_id). You don't need to be sending two cookies or anything.

This is less vulnerable to session hijacking as every request is a new ID, so an old one intercepted by an attacker is useless.

The best solution, obviously, would be to use SSL throughout the entire session.