Home » Is my user authentication method secure? Am I reinventing the wheel?

Is my user authentication method secure? Am I reinventing the wheel?


You know what you shouldn’t do? Reinvent the wheel.

There are many authentication libraries out there, especially for PHP. Almost every single framework includes one. Use it. If you aren’t using a framework, stop what you are doing and use one!

And yes, you must use TLS for your site.

You should never roll your own. There is a so called “Schneier Law” that states:

Anyone, from the most clueless amateur to the best cryptographer, can
create an algorithm that he himself can’t break.

That means that even after you fail to break your own scheme, an expert my break it in two seconds. Have a look to this Schneier article.

There are thousands of methods working and you should use them, many of them have been tested by crypto and security professionals.

Also, you should read this Q&A.

I can’t use openid because my auth is not based on email id

OpenID does not depend on e-mail—an OpenID identity could be something like someone.example.com.

Then insert ( useragent, ip, unique key which i create ). into a database.

It is unwise to tie your sessions to IP address. Some users’ IP addresses will legitimately vary (for example because they are behind a proxy cluster, or are switching between mobile networks). Kicking them out on IP change would make your site very difficult to use for a subset of your audience.

Matching IP is in any case of very limited usefulness. The usual attack it is attempting to address is that of session token leakage and reuse from an attacker client. But possible causes of token leakage are generally those that give the attacker access to make requests from the client anyway (XSS, client-side malware, bad transport security) or those which are already catastrophic (database compromise, server code execution).

Similarly User-Agent matching is of little value as the UA string isn’t any kind of secret and is easily spoofed. Matching IP and UA can be of some worth as just one input to a complex risk rating system with behavioural history, but primitive matching is ineffective as a security measure and likely to cause you more damage from false negatives than benefit.

Time stamp + ip + useragent + username and encrypt them many rounds = unique key !

Encrypt type = MCRYPT_RIJNDAEL_256

Then insert ( useragent, ip, unique key which i create ). into a database.

set the unique key in cookie and transmit it to user.

As the client-submitted ‘unique key’ is verified simply by comparing it against the known value in the database, its actual content is of no relevance and there is no point in generating it in such an elaborate way.

A string of random data would do just as well for this, and then what you’d have would be functionally equivalent to the normal way people do logins in PHP: by putting a logged-in-user-ID on the session. Re-using PHP’s standard random-PHPSESSID-based sessions would have advantages in terms of performance and the well-understood nature of their configuration.

There is another somewhat-common model of authentication, which may be what you were thinking of with the ‘unique key’ idea. This is where you create a token based on items you want to authenticate (typically user ID, password/reset generation numbers and token expiry time) together with a cryptographic signature over those items (typically HMAC) using a server-side secret key. The server can recognise and authenticate the incoming token using that signature, giving it the advantage that it doesn’t need any persistent database/session storage. But unless you need that particular property I would stick with plain old sessions.

i think using TLS is must here

Yes. And remember to give your cookies the secure flag so they don’t leak through a non-TLS request.

Related Solutions

How can I stop applications and services from running?

First Things First You may have some misconceptions about how Android works and what's really happening when a service is running or an app is in the background. See also: Do I really need to install a task manager? Most apps (e.g., ones you launch manually)...

How do I reset a lost administrative password?

By default the first user's account is an administrative account, so if the UI is prompting you for a password it's probably that person's user password. If the user doesn't remember their password you need to reset it. To do this you need to boot into recovery...

How can I use environment variables in Nginx.conf

From the official Nginx docker file: Using environment variables in nginx configuration: Out-of-the-box, Nginx doesn't support using environment variables inside most configuration blocks. But envsubst may be used as a workaround if you need to generate your...

Difference between .bashrc and .bash_profile

Traditionally, when you log into a Unix system, the system would start one program for you. That program is a shell, i.e., a program designed to start other programs. It's a command line shell: you start another program by typing its name. The default shell, a...

Custom query with Castle ActiveRecord

In this case what you want is HqlBasedQuery. Your query will be a projection, so what you'll get back will be an ArrayList of tuples containing the results (the content of each element of the ArrayList will depend on the query, but for more than one value will...

What is the “You have new mail” message in Linux/UNIX?

Where is this mail? It's likely to be in the spool file: /var/mail/$USER or /var/spool/mail/$USER are the most common locations on Linux and BSD. (Other locations are possible – check if $MAIL is set – but by default, the system only informs you about...

How can I find the implementations of Linux kernel system calls?

System calls aren't handled like regular function calls. It takes special code to make the transition from user space to kernel space, basically a bit of inline assembly code injected into your program at the call site. The kernel side code that "catches" the...

Is a composite index also good for queries on the first field?

It certainly is. We discussed that in great detail under this related question: Working of indexes in PostgreSQL Space is allocated in multiples of MAXALIGN, which is typically 8 bytes on a 64-bit OS or (much less common) 4 bytes on a 32-bit OS. If you are not...

Explaining computational complexity theory

Hoooo, doctoral comp flashback. Okay, here goes. We start with the idea of a decision problem, a problem for which an algorithm can always answer "yes" or "no." We also need the idea of two models of computer (Turing machine, really): deterministic and...

Building a multi-level menu for umbraco

First off, no need pass the a parent parameter around. The context will transport this information. Here is the XSL stylesheet that should solve your problem: <!-- update this variable on how deep your menu should be --> <xsl:variable...

How to generate a random string?

My favorite way to do it is by using /dev/urandom together with tr to delete unwanted characters. For instance, to get only digits and letters: tr -dc A-Za-z0-9 </dev/urandom | head -c 13 ; echo '' Alternatively, to include more characters from the OWASP...

How to copy a file from a remote server to a local machine?

The syntax for scp is: If you are on the computer from which you want to send file to a remote computer: scp /file/to/send username@remote:/where/to/put Here the remote can be a FQDN or an IP address. On the other hand if you are on the computer wanting to...

What is the difference between curl and wget?

The main differences are: wget's major strong side compared to curl is its ability to download recursively. wget is command line only. There's no lib or anything, but curl's features are powered by libcurl. curl supports FTP, FTPS, HTTP, HTTPS, SCP, SFTP, TFTP,...

Using ‘sed’ to find and replace [duplicate]

sed is the stream editor, in that you can use | (pipe) to send standard streams (STDIN and STDOUT specifically) through sed and alter them programmatically on the fly, making it a handy tool in the Unix philosophy tradition; but can edit files directly, too,...

How do I loop through only directories in bash?

You can specify a slash at the end to match only directories: for d in */ ; do echo "$d" done If you want to exclude symlinks, use a test to continue the loop if the current entry is a link. You need to remove the trailing slash from the name in order for -L to...

How to clear journalctl

The self maintenance method is to vacuum the logs by size or time. Retain only the past two days: journalctl --vacuum-time=2d Retain only the past 500 MB: journalctl --vacuum-size=500M man journalctl for more information. You don't typically clear the journal...