Having studied our registration system to add some new features, I found out that it is not very secure. The auth cookie is encryption. user id, stamp, version, PASSWORD IN THE RAW, and a cookie idAt least I can say that I'm not the one who did it the way the previous developer did. (Yes, I know that the password should be stored as a hash in the database instead of plain text. The original developer did this, and I have not fixed it yet.)
So, I read a lot about secure login and secure cookies here and on the Internet. I see how easy it is to do it is not safe.
About the site
- This is an e-commerce site that also has a lot of community stuff (message board, gallery).
- forced login page https
- all account pages and verification also force HTTPS
- changing your password or email address requires the current password.
Here is my plan:
Purpose:
- beable to enter more than one place
- reinstallation required for secure parts of the store, lasts 30-60 minutes, only for cookies
- to view all current logins
- the ability to exit the system in all places
The backend login is safe and lasts longer. limited entry for outside the office
user gets page:
no auth:
have user sign in with username & pass
create new token
expires =
https on store: 30-60 min
backend in office: 5 days
backend remote: 30-60 min?
regular without remember me: session or 24 hours?
regular with remember me: 30 days
insert into user_session
set cookie
auth:
token in db:
set uid
generate new token, new expires, insert into DB, remove old?
upddate cookie
token not in db:
logout, requre sign in
table user_session:
uid
uid_as (for being 'logged in' as another user, admin feature only)
token
type
ip address
expires
stamp
cookie value: token|hash(token + user id, server key)
Of all that I read, this is what I came up with. It seems to me that I'm missing something. Are there any problems with my plan or ways to make it more secure than using HTTPS for the entire site? (Currently this will cause some problems, but I will talk about this later)
source
share