You are invited to Log in or Register a free Frihost Account!

Creating safe persistent login system

Recently, I am creating a login system based on Steam Web API that doesn't require user to provide his password, he must login on Steam Community website and them will be only authenticated on my site. It is based on OpenID.

Could you help me to create the login system? I have almost no experience on creating CMS so don't exactly know how to use sessions and cookies, what and where should I store etc. Very important for me is to keep users secure and disable and 'input' hacks based on cookies or likely.

So far, user clicks URL that redirects him to Steam and then after he authenticated the login, he is redirected back to my site and in return, page receives his SteamID. If it's his first visit on the page, he is automatically registered with his Steam profile details (they are gathered with Steam Web API based on the ID), which are stored in database along with his SteamID - for later easier access.

Now, how to create safe persistent login ('remember me')? I want to use cookies + sessions + gathering profile data from database. There are lots of such tutorials on the web but most are out of date or insecure...

Thanks for upcoming help!

You may also want to read my two other threads. Storing large integer in MySQL database and SQL problem, not returning any result.
I have been searching for some solution and I came for an idea myself.

Could you read this pattern and tell me if it is okay/effective and what is most important - secure? Please, suggest me anything, I will honestly appreciate any feedback.

Let's start:

#1 Check if cookie exists
If yes - go to point #2
If not - go to #5

#2 Check if session exists
If yes - go to #4
If not - go to #3

#3 Read from cookie: hashed CID (randomly generated ID when cookie was created), hashed cookie creation timestamp, hashed last login timestamp.
Based on given CID, read from database: cookie creation timestamp, last login timestamp.
If they match, read Steam ID and all the user data from database, create session and write the data into the session. Go to #4.
If they do not match, kill cookie, log information about failed login to the database (for investigation).

#4 Display website with logged-in user.
Hash and save timestamp as last login timestamp into the cookie and database.

#5 Let user login using SteamWebAPI (get SteamID in return). Check if user is registered.
If yes, create cookie, hash randomly created CID, hash timestamp, save it as last login timestamp and cookie creation timestamp into cookie and database. Create session with SteamID and user data gathered from database. Go to #4
If is not registered, gather all user data from SteamWebAPI, save into database. Create cookie, session etc., as above. Go to #4.
Related topics
html login system
Simple login system
sticking "Creating a new Operating System"
Login System help
news system with login for more than 1 user.
Developing a Login System with PHP and MySQL
i need a single user login system
Login System Tutorial Part 1 Creating Registration
The best way to learn PHP?
Problem with Member system(or template) and $_GET[id]
Frih$ on offer for PHP Login System
Could someone create a really simple login system???
help with html
Login system with uploading features!
Reply to topic    Frihost Forum Index -> Scripting -> Php and MySQL

© 2005-2011 Frihost, forums powered by phpBB.