Practical security on your application
Developing online applications is a way of life for a lot of programmers! It’s a great feeling working your but off day in and day out, night in and night out, sometimes all night and sometimes with no brakes! Then launch day comes and you are so happy any cant wait for people to start using your application! You launch your application without a hitch, all goes well!
Keeping that application secure is important, so when do you start worrying about security? I say right away, start building your application with maximum security. Keep track of what cookies you are setting as they can be in danger from a JavaScript injection.
So if your application has to use cookies how should you authenticate the user? I find writing a session id to the database and to a cookie along with a username or email, this process becomes very easy and secure. So how does this work?
Start with a login or registration, and then start the session. Pull the session id into a variable the send it to the database. After that write the session id to a cookie.
[php]
session_start();
$sid = session_id();
// your SQL insert or update “UPDATE accounts SET sid=’$sid’ WHERE id=1″
setcookie(‘appname_session’, $sid, time()+3600);
[/php]
After setting the session id cookie we need to set the username or email cookie!
[php]
setcookie(‘appname_user’, $username, time()+3600);
[/php]
Now you are able to authenticate the user inside your application securely.
[php]
// Select the user now
find_by_username_and_sid(cookie(“appname_user”),cookie(“appname_session”));
[/php]
This is in PHP but the same idea applies in all languages.
Fixes to the Auth Class
I left out a line in the new class (auth), I did not set the variables inside the class. I have now fixed this problem sorry for any headaches this may have caused!
On another note I added a new function to the class (auth), this function will allow you to validate the uniqueness of an email address within your current accounts. It has both a new account setting and an edit account setting. This will come in handy with signing people up for your application, especially if you only allow one person to have one account per email address.
Below is how to call both new and edit functions.
[php]
$auth = new auth();
$auth->validates_uniqueness_of_email($_POST['email'], ‘new’);
// == OR if this user has an account
$auth->validates_uniqueness_of_email($_POST['email'], ‘edit’);
[/php]
Use the db_class to authenticate
User authentication made easier and less of a hassle to write. Use my db_class to authenticate a user from your database, with all the options you would have if you wrote it yourself! I have also added an “Auto Start” this will start the classes you want right off the bat, saving you one line of code.
Authentication is easy to call, just use the following line.
[php]
$auth->login(‘the_user’, ‘the_password’);
[/php]
All that’s left for you is to build the form and edit the db_class file with the correct settings! Let me know how it works for you, or if you have any issues!
Adding on to the db_class
I am adding a user authentication class to this, as that is something I use on a regular basis. I think other developers will get a lot of use out of this as well. I all put the class up for download sometime this weekend. I will also post more details on how to use it and how to call this class.
Categories
Pages
- contact
- Contact Form V1.8
- FlickrHelper
- Guestbook V1.01 ASP
- Guestbook V2.4.7
- iFrame Loader
- Scriptatype:PHP
- Winn Cal
- Winn Tracker
