0

I making an app in android that needs to login to a website I made, but I'm debating what is the best and secure way to do this. I also have my own idea, but not sure how to implement it. I'm only asking about how to implement the "Hey I'm logged in'' idea. Not the verifying/storing/escaping strings part. Only about how to create a secure session between the user and the server.

From what I saw in google, most/all approaches are using the global php $_SESSION variable, but apparently there are many security issues with this, so I'm thinking not to use it at all.

What does big websites do? like gmail? how do they do it? and how do they implement the 'remember me' option? I here that they give you some token for each login, it that correct?

Finally - I have my own idea and want to know what you think of it: when a user logges in, he gets back a code made of his credentials, and some random value - all will be hashed (sha256) . He will save it in his shared preferences. This code will also be stored on the server's 'logged in' database. Now, every time he queries the server, he will have to send the code that he got.

So what do you think?

user2554080
  • 300
  • 3
  • 13
  • Gmail was not written in PHP, so no, it doesn't use the `$_SESSION` variable. – Ian Dec 09 '15 at 17:08
  • Google's probably programmed in C but I guess we'll probably never know until one of us gets hired as a core programmer ;-) edit: yep, I was right about the C part http://stackoverflow.com/questions/4773379/official-programming-languages-at-google – Funk Forty Niner Dec 09 '15 at 17:25

2 Answers2

3

Google and other services do "a lot" for security of users and we really don't know what they do exactly. Just for an idea, here are suggestions.

  1. Sanitize user inputs (http://php.net/manual/en/filter.filters.sanitize.php)
  2. Use PHP's inbuilt password hashing algorithm for hashing and validating passwords (http://php.net/manual/en/function.password-hash.php)
  3. Use prepared statements for accessing database (http://php.net/manual/en/pdo.prepared-statements.php)
  4. Use a token column in your database. Generate a unique token every time user logs in and use that token for validating user sessions
  5. Reset the token when user logs out
Rehmat
  • 4,681
  • 3
  • 22
  • 38
  • where how will the user access this token? wiil it be stored in the session variable? because that's exactly my problem - there are many security problems with the session variable. – user2554080 Dec 09 '15 at 21:54
  • Yes, store the token in sessions. Here is a good explanation about preventing session security: http://stackoverflow.com/questions/5081025/php-session-fixation-hijacking – Rehmat Dec 10 '15 at 04:42
1

If you're writing a login using PHP, $_SESSION should be fine. PHP will automatically create cookies for the user, and anything you store in $_SESSION will be made only available on the server-side, so there is no need to generate your own tokens on the client-side.

Ian
  • 24,116
  • 22
  • 58
  • 96
  • thats what i just said - there are security problems with this. see: http://www.sitepoint.com/notes-on-php-session-security/ – user2554080 Dec 09 '15 at 21:43
  • The only legit point made on that list is about shared servers. But if you're using shared servers, you don't care about security anyway. – Ian Dec 09 '15 at 22:29
  • well, anyway I mean that there are problems with regular session - like hijacking the session id, session fixation, etc. – user2554080 Dec 09 '15 at 22:38
  • As long as you use ssl and cookie based sessions on your own server, sessions are safe to use. You can even specify where the sessions are to store the data if you want. – Ian Dec 09 '15 at 22:40